search
Ctrlk

Configuring the Approval Duration

When a user is granted access to a protected resource — whether through MFA verification, a written justification, or an approver — Keeper EPM automatically manages the lifetime of that access. Several different durations are at play, and this page explains each one, what it controls, and how to change it.

hashtag
Duration Settings at a Glance

Setting
Default
What it controls
How to change

DurationMinutes (in GrantFileAccess job)

240 min (4 hrs)

How long approval-gated file access lasts

Update Jobs policy

DurationMinutes (in LaunchFileAccess job)

240 min (4 hrs)

How long MFA or justification-gated file access lasts

Update Jobs policy

approvalExpirationHours (keeperAgent plugin)

72 hrs

How long a pending approval request is valid before it expires

Update Settings policy

approvedRequestExpirationHours (keeperAgent plugin)

24 hrs

How long a granted approval can still be launched after it is approved

Update Settings policy

A note on MFA access duration: MFA is a gate — once the user passes it, the resulting file access window is governed by the same DurationMinutes setting as any other control type. There is no separate "MFA duration" setting; you adjust DurationMinutes in the LaunchFileAccess job to change how long MFA-verified file access lasts.

hashtag
Understanding the Two File Access Jobs

File access can be granted through two different jobs depending on how the control is satisfied:

  • LaunchFileAccess — runs when a user satisfies an MFA or Justification control interactively. The DurationMinutes parameter in this job controls how long that session lasts.

  • GrantFileAccess — runs when an approver grants a request (the Approval control). The DurationMinutes parameter in this job controls how long the granted window lasts.

Both default to 240 minutes (4 hours). You can set them to different values if, for example, you want MFA-verified sessions to last 8 hours but approval-granted sessions to last only 2.

hashtag
Part 1 – Changing the MFA / Justification File Access Duration

This configures DurationMinutes in the LaunchFileAccess job — the job that runs when a user satisfies an MFA or Justification control.

1

Navigate to Policies

In the Keeper Admin Console, go to Endpoint Privilege Manager → Policies and click Create Policy.

2

Fill in Basic Details

  • Policy Name — Something descriptive, such as File Access Duration – MFA (8 Hours)

  • Policy Type — Select any available type as a starting template (for example, Privilege Elevation)

  • Status — Set to Monitor to start; switch to Enforce once confirmed

  • Click Add Control and select at least one control, then set your User Groups and Machines targeting

3

Open Advanced Mode

At the bottom-left of the policy form, click the Advanced Mode link to open the JSON editor.

4

Replace the Policy JSON

Paste the following, replacing YOUR_DURATION_IN_MINUTES with your desired value (for example, 480 for 8 hours):

{
  "PolicyName": "File Access Duration – MFA (Custom)",
  "PolicyType": "JobUpdate",
  "Status": "on",
  "Extension": {
    "JobId": "LaunchFileAccess",
    "Action": "Update",
    "JobJson": "{\"id\":\"LaunchFileAccess\",\"name\":\"Launch File Access\",\"description\":\"Launches file access with a custom MFA/justification duration.\",\"enabled\":true,\"events\":[\"LaunchFileAccess\"],\"parameters\":[{\"name\":\"DurationMinutes\",\"type\":\"Number\",\"default\":YOUR_DURATION_IN_MINUTES}],\"tasks\":[{\"id\":\"grant-file-access\",\"executionType\":\"HTTP\",\"url\":\"/api/fileaccess/grant\",\"method\":\"POST\",\"body\":\"{\\\"filePath\\\":\\\"{FilePath}\\\",\\\"userIdentifier\\\":\\\"{UserIdentifier}\\\",\\\"userName\\\":\\\"{UserName}\\\",\\\"policyUid\\\":\\\"{PolicyUid}\\\",\\\"requestId\\\":\\\"{RequestId}\\\",\\\"durationMinutes\\\":{DurationMinutes}}\"}]}"
  }
}
5

Save & Deploy

Click Save. The updated job will be pushed to all targeted endpoints within approximately 30 minutes, or sooner if users trigger a Refresh Policies from the Keeper Agent system tray icon.

hashtag
Part 2 – Changing the Approval-Gated File Access Duration

This configures DurationMinutes in the GrantFileAccess job — the job that runs when an approver grants a file access request.

Follow the same steps as Part 1, but use GrantFileAccess as the JobId in your JSON:

hashtag
Part 3 – Changing the Pending Approval Expiration

When a user submits a request for approval, that request is pending until an approver acts on it. If no action is taken within the configured window, the request automatically expires and the user must submit a new one.

This is controlled by the approvalExpirationHours setting in the keeperAgent plugin, using an Update Settings policy.

1

Navigate to Policies

Go to Endpoint Privilege Manager → Policies and click Create Policy.

2

Fill in Basic Details

  • Policy Name — For example, Approval Request Expiration – 48 Hours

  • Policy Type — Select any available type as a starting template

  • Status — Start with Monitor, then switch to Enforce

  • Add a control and set targeting as appropriate

3

Open Advanced Mode

Click the Advanced Mode link at the bottom-left.

4

Replace the Policy JSON

Replace YOUR_HOURS with the number of hours you want pending requests to remain valid (for example, 48). You can also adjust approvedRequestExpirationHours and historyRetentionDays at the same time — see the reference table below.

Important: The SettingsJson value replaces the entire keeperAgent plugin configuration. Include all settings you want, not just the one you are changing. The values shown above are the defaults for settings you are not modifying.

5

Save & Deploy

Click Save. The updated settings will be pushed to in-scope endpoints within approximately 30 minutes.

hashtag
Part 4 – Changing the Approved Request Launch Window

Once an approver grants a request, the user receives a notification and can launch the approved action from the Keeper Agent. The approvedRequestExpirationHours setting controls how long that window stays open — if the user does not launch it in time, the approval lapses and a new request must be submitted.

Follow the same steps as Part 3, adjusting the approvedRequestExpirationHours value in the SettingsJson. For example, to extend the launch window to 48 hours:

hashtag
References

hashtag
Duration Reference Table

Value
Minutes
Hours

60

60 min

1 hour

120

120 min

2 hours

240

240 min

4 hours (default for file access)

480

480 min

8 hours

1440

1440 min

24 hours

hashtag
For approval expiration (in hours):

Value
Duration

24

1 day

48

2 days

72

3 days (default for pending requests)

168

7 days

What about active grants? Changing any of these settings does not affect grants or approval windows that are already in progress. The new values apply only to new requests and grants created after the updated configuration reaches the endpoint.

PreviousBackup & RestoreNextCrowdstrike Running Job

Last updated

Was this helpful?