# PAM Resource Sharing

## Managing PAM Resources with Sharing

### Overview

Keeper Vault uses Shared Folders as the access control mechanism for all KeeperPAM-managed resources. These PAM resources can be organized within shared folders in the same way as standard Keeper records.

*A significant advantage of the KeeperPAM architecture is that it enables resource access sharing without revealing the actual credentials to users. This zero-knowledge approach maintains security while providing necessary access.*

### Types of PAM Resources

Shared Folders can contain various types of PAM resources:

* **PAM Machine** - For server and endpoint connections
* **PAM Database** - For database system access
* **PAM Directory** - For directory service management
* **PAM Remote Browser** - For secure web application access
* **PAM User** - For service credential management

<figure><img src="https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LO5CAzpxoaEquZJBpYz%2Fuploads%2FqMs8oG4DDWuYXkcnq85Y%2FScreenshot%202025-03-21%20at%2010.05.20%E2%80%AFAM.png?alt=media&#x26;token=2a83e08c-eac3-4a52-b5d5-6f1ae8ee2595" alt=""><figcaption><p>Sharing a PAM Resource</p></figcaption></figure>

The share receipient can then initiate a zero-trust privileged session to the target system, without having access to the underlying credentials.

<figure><img src="https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LO5CAzpxoaEquZJBpYz%2Fuploads%2FTFp0oLR0kjRfIo9h6H2u%2FScreenshot%202025-03-21%20at%2010.11.46%E2%80%AFAM.png?alt=media&#x26;token=d0f403f6-321c-4e11-98c8-f0c4012e699d" alt=""><figcaption><p>Opening a Privileged Session to a Shared Resource</p></figcaption></figure>

### Implementing Least Privilege

For optimal security through least privilege principles, we suggest maintaining PAM Users in a dedicated shared folder separate from other resources. This separation helps limit access to sensitive underlying credentials.

The recommended configuration includes:

1. A shared folder for infrastructure components (Machines, Databases, etc.)
2. A separate shared folder specifically for PAM User credentials

When you utilize Keeper's [Quick Start Sandbox](https://docs.keeper.io/keeperpam/privileged-access-manager/quick-start-sandbox) or Gateway wizard, this separation happens automatically, establishing the recommended security structure from the beginning.

### Security Benefits

This organizational approach provides several advantages:

* Credentials remain protected even when resource access is shared
* Administration is streamlined through the familiar Keeper interface
* Access permissions can be precisely configured at the folder level
* Complete audit trails track all resource access activity
* The system integrates seamlessly with existing Keeper workflows

### For more information:

* [KeeperPAM Overview](https://app.gitbook.com/o/-LO5CAzoigGmCWBUbw9z/s/-MJXOXEifAmpyvNVL1to/)
* KeeperPAM [Sharing and Access Control](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/access-controls)