# PAM Resource Sharing

## Managing PAM Resources with Sharing

### Overview

Keeper Vault uses Shared Folders as the access control mechanism for all KeeperPAM-managed resources. These PAM resources can be organized within shared folders in the same way as standard Keeper records.

*A significant advantage of the KeeperPAM architecture is that it enables resource access sharing without revealing the actual credentials to users. This zero-knowledge approach maintains security while providing necessary access.*

### Types of PAM Resources

Shared Folders can contain various types of PAM resources:

* **PAM Machine** - For server and endpoint connections
* **PAM Database** - For database system access
* **PAM Directory** - For directory service management
* **PAM Remote Browser** - For secure web application access
* **PAM User** - For service credential management

<figure><img src="https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LO5CAzpxoaEquZJBpYz%2Fuploads%2FqMs8oG4DDWuYXkcnq85Y%2FScreenshot%202025-03-21%20at%2010.05.20%E2%80%AFAM.png?alt=media&#x26;token=2a83e08c-eac3-4a52-b5d5-6f1ae8ee2595" alt=""><figcaption><p>Sharing a PAM Resource</p></figcaption></figure>

The share receipient can then initiate a zero-trust privileged session to the target system, without having access to the underlying credentials.

<figure><img src="https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LO5CAzpxoaEquZJBpYz%2Fuploads%2FTFp0oLR0kjRfIo9h6H2u%2FScreenshot%202025-03-21%20at%2010.11.46%E2%80%AFAM.png?alt=media&#x26;token=d0f403f6-321c-4e11-98c8-f0c4012e699d" alt=""><figcaption><p>Opening a Privileged Session to a Shared Resource</p></figcaption></figure>

### Implementing Least Privilege

For optimal security through least privilege principles, we suggest maintaining PAM Users in a dedicated shared folder separate from other resources. This separation helps limit access to sensitive underlying credentials.

The recommended configuration includes:

1. A shared folder for infrastructure components (Machines, Databases, etc.)
2. A separate shared folder specifically for PAM User credentials

When you utilize Keeper's [Quick Start Sandbox](/keeperpam/privileged-access-manager/quick-start-sandbox.md) or Gateway wizard, this separation happens automatically, establishing the recommended security structure from the beginning.

### Security Benefits

This organizational approach provides several advantages:

* Credentials remain protected even when resource access is shared
* Administration is streamlined through the familiar Keeper interface
* Access permissions can be precisely configured at the folder level
* Complete audit trails track all resource access activity
* The system integrates seamlessly with existing Keeper workflows

### For more information:

* [KeeperPAM Overview](https://docs.keeper.io/keeperpam/)
* KeeperPAM [Sharing and Access Control](/keeperpam/privileged-access-manager/getting-started/access-controls.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/enterprise-guide/sharing/pam-resource-sharing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.