Time-Limited Access with Automated Credential Rotation

Grant time-bounded access to resources with credentials that are automatically rotated when access expires.

Overview

Time-limited access allows administrators to share a PAM resource with a user for a defined period. When the access window expires, the user's access is removed and credentials are automatically rotated, ensuring they cannot be reused. All credential changes are recorded in a complete audit trail.

This approach ensures that every access window has a unique set of credentials, protecting against credential theft and maintaining compliance with credential rotation requirements.

Key Features:

Automated credential rotation on-demand or on a scheduled basis
Time-limited access window for authorized users
Integration with password rotation policies
Complete audit trail of credential changes

Configuration

To provide time-limited access to a PAM User Record Type:

Open the PAM User Record type from the vault
Click on the Sharing button
Add the user as a share recipient, click on the share permissions dropdown and select Set Expiration.
The following fields are configurable

Field

Description

Expiration

The duration of access granted to the user.

Access Expires

Displays the date and time when access will be revoked.

Rotate password upon expiration

When enabled, the credential is automatically rotated when the access window expires, ensuring it cannot be reused.

When access expires send an email to

Optionally sends an email notification when access expires. Can be configured to notify the record owner or another recipient.

Select the expiration time and enable "Rotate password upon expiration"

For more information see:

PreviousEphemeral Accounts and Privilege Elevation NextElevated Access on Endpoints

Last updated 5 days ago

Was this helpful?

hashtagOverview

hashtagConfiguration

Overview

Configuration