Add a Safe

A Safe is the access object in VaultPAM. It binds three things: (1) which Resource is being accessed, (2) which credential is injected, (3) who may use it and under what policy.

Before you begin

• The Resource you want to gate is already registered (Add your first resource).
• You have (or will create) a credential to inject — either a static password, a JIT-rotated credential from OpenBao, or an SSH keypair already stored in Vault.

Steps

1. Open Safes → Add Safe from the sidebar.
2. Under Resource, pick the registered target the Safe will protect.
3. Under Credential, either pick an existing Account Binding or create a new one:
   • Static — VaultPAM stores the password encrypted.
   • JIT-rotated — VaultPAM asks OpenBao to generate and rotate the password at session launch.
   • SSH key — a public key is pushed to the target; the private key stays in Vault.
4. Under Members, pick the users or groups who may use the Safe. You can mix individual users and Entra/AD groups.
5. Under Policy, pick an existing policy template or leave the defaults:
   • Approval required / not required.
   • Recording on / off (default on).
   • Clipboard allowed / blocked (default blocked for privileged targets).
   • MFA step-up at session launch.
6. Review and click Create Safe.

The Safe appears in the Safes list immediately. Members get a notification that they now have access.

Related articles

• What is a Safe?
• Approve a pending session
• Rotate a credential