Time-Limited Access

Time-Limited Access allows you to securely share records, folders and PAM resources with other Keeper users on a temporary basis.

Overview

Time-Limited Access allows you to securely share credentials, secrets or PAM Resources like machines, databases and directories - with other Keeper users on a temporary basis, automatically revoking access at a specified time. Time-Limited Access prevents long standing privileges and ensures that information is removed from the recipient’s vault, greatly reducing the risk of unauthorized access.

Time-Limited Access

Key Benefits

  • Revoked access at a specified time designated by the record owner, minimizing the workload on the owner to remove the share at a later time.

  • Enhances security as traditional short term sharing has been done in insecure ways like using sticky notes, text messages or instant messengers.

  • Simplified compliance with event tracking on all sharing activity, ensuring least privilege access is maintained.

  • When paired with KeeperPAM or Keeper Secrets Manager (KSM) automatic service account rotation capabilities, users can schedule rotation of the shared credential upon the expiration of access, ensuring the recipient never has standing privilege

Share a Record

Select the record from your vault and click Share, entering their email address or selecting it from your contacts list. Set their permission level and click Add.

Share a Record
Add User and Set Permissions

Select the “Permissions” dropdown and click Set Expiration. Here you can select one of the default expirations or click custom date and time to set your own. Next, check the box if you would like the record owner, such as yourself, or users with edit access to be notified via email when the recipient's record access expires. Click Done to save.

Permissions and Option to Add Expiration
Set Expiration and Email Notification
Access Expiration Applied to User

The recipient of a shared record with time-limited access may have "view" and "edit" permissions but will not be able to share the record. If "share" permissions are applied, the expiration will be removed.

Share a Folder

Open the shared folder from your vault and click the edit icon and from the “Users” tab, add the user or team you would like to share the folder with.

Edit Shared Folder

Set their permissions and from the dropdown menu click Set Expiration, following the same steps you would for a single record share (described above).

Permissions and Option to Add Expiration

Next, check the box if you would like users with "can manage records" permissions over the folder to be notified via email when the recipient's record access expires. Click Done to save.

Set Expiration and Email Notification

The recipient of a shared folder with time-limited access may have "can manage records" permissions, but the ability to "manage users" is restricted. If these permissions are applied, the expiration will be removed.

Sharing PAM Resources

When sharing access to PAM Resources (such as a Windows or Linux server), privileged sessions can be established to the target resource, without access to the credentials. When access is revoked, the session is terminated and session logs are created for the administrator.

KeeperPAM time-limited sessions

For more information about PAM sessions and permissions, see the KeeperPAM documentation.

PreviousShare AdminNextSelf-Destructing Records

Last updated

Was this helpful?