docs/documentation/platform/pam/templates/overview.mdx
Templates define how accounts behave when someone connects — session duration limits, MFA requirements, which Gateway to use, where to store session recordings, and more.
Every account requires a template. When you create an account, you select a template, and the account inherits everything from it. Change the template later, and every account using it updates automatically.
Infisical provides default templates for each account type with sensible defaults, so you can start adding accounts right away. Create custom templates when you need different rules — for example, stricter session limits for production or a specific Gateway for a network segment.
When you first use PAM, default templates are available for each account type (PostgreSQL, MySQL, MS SQL, MongoDB, SSH, Kubernetes, AWS IAM, Windows, Windows AD). Each has sensible defaults like 1-hour session duration.
If the defaults work for you, you can skip straight to adding accounts.
If you need different rules — say, 4-hour sessions with MFA for production — create a custom template.
<Steps> <Step title="Navigate to Account Templates"> Go to **Privileged Access Management → Account Templates** and click **Create Template**. </Step> <Step title="Set the basics"> | Field | Description | |-------|-------------| | **Name** | A descriptive name (e.g., `prod-postgres`) | | **Type** | The account type (PostgreSQL, MySQL, SSH, etc.) | | **Description** | Optional context about when to use this template | </Step> <Step title="Configure policies"> | Option | What it does | |--------|--------------| | **Require MFA** | Users must re-authenticate with MFA before connecting | | **Require Reason** | Users must provide a reason before connecting | | **Max Session Duration** | How long someone can stay connected (in seconds) | | **Command Blocking** | Regex patterns for commands to reject (one per line). Currently SSH only. | </Step> <Step title="Configure system settings"> | Option | What it does | |--------|--------------| | **Gateway** | Default Gateway for connections (can be overridden per account) | | **Storage Backend** | Where to store session recordings (internal or your S3 bucket) | | **Session Log Masking** | Regex patterns for content to mask in recordings (one per line) | </Step> <Step title="Save"> Click **Create**. The template is now available when adding accounts. </Step> </Steps>Every account references a template. The account inherits everything from that template — session limits, MFA requirements, Gateway, recording storage, and so on.
This means you can:
Some options like Gateway can be overridden at the account level when needed.
With templates set up, you're ready to add accounts to your folders.
<CardGroup cols={2}> <Card title="PostgreSQL Accounts" icon="database" href="/documentation/platform/pam/accounts/postgresql"> Add PostgreSQL database accounts. </Card> <Card title="SSH Accounts" icon="terminal" href="/documentation/platform/pam/accounts/ssh"> Add SSH server accounts. </Card> </CardGroup>