What is a Safe?
A Safe is the object in VaultPAM that grants access. It binds together four things:
- Who — a list of member users and groups.
- Which Resource — the target the session is brokered to (an RDP server, SSH host, database, web console).
- Which Account Binding — the credential that gets injected at session launch.
- Under what policy — approval required? recording on? clipboard allowed? MFA step-up?
Why the Safe abstraction exists
Legacy approaches bind credentials to users directly ("Alice has the root password"). This makes offboarding painful, rotation painful, and audit vague. With a Safe:
- Alice never sees the credential — it is injected at the proxy.
- Removing Alice from the Safe revokes her access immediately.
- Rotating the credential affects every session uniformly.
- Every access is audited at the Safe level, not scattered across OS event logs.
Mental model
┌──────────┐ ┌──────────┐ ┌──────────────┐
│ Members │ ──► │ Safe │ ──► │ Resource │
└──────────┘ │ policy │ │ (RDP / SSH │
│ approval │ │ / HTTP) │
│ recording│ └──────────────┘
└────┬─────┘ ▲
│ │ credential
▼ │ injected by
┌──────────┐ │ the proxy
│ Account │──────────────┘
│ binding │
└──────────┘
Policy dimensions
Each Safe can set:
- Approval — none / single approver / two-approver ("four eyes").
- Recording — on / off (on by default; strongly recommended for privileged targets).
- Clipboard & file transfer — allowed / blocked / audited-only.
- MFA step-up — require step-up at session launch even if the user is already authenticated.
- Session TTL — maximum duration.
- Valid hours — time windows when the Safe is usable.