# Time-Limited Access

## Overview Time-Limited Access allows you to securely share credentials, secrets or PAM Resources like machines, databases and directories - with other Keeper users on a temporary basis, automatically revoking access at a specified time. Time-Limited Access prevents long standing privileges and ensures that information is removed from the recipient’s vault, greatly reducing the risk of unauthorized access. {% embed url="" %} Time-Limited Access {% endembed %} ## **Key Benefits** * Revoked access at a specified time designated by the record owner, minimizing the workload on the owner to remove the share at a later time. * Enhances security as traditional short term sharing has been done in insecure ways like using sticky notes, text messages or instant messengers. * Simplified compliance with event tracking on all sharing activity, ensuring least privilege access is maintained. * When paired with [KeeperPAM](https://app.gitbook.com/o/-LO5CAzoigGmCWBUbw9z/s/-MJXOXEifAmpyvNVL1to/) or Keeper Secrets Manager (KSM) [automatic service account rotation](https://docs.keeper.io/keeperpam/privileged-access-manager/password-rotation/rotation-overview) capabilities, users can schedule rotation of the shared credential upon the expiration of access, ensuring the recipient never has standing privilege. ## Share a Record Select the record from your vault and click **Share**, entering their email address or selecting it from your contacts list. Set their permission level and click **Add**.

Select the “Permissions” dropdown and click **Set Expiration**. Here you can select one of the default expirations or click **custom date and time** to set your own. Next, check the box if you would like the record owner, such as yourself, or users with edit access to be notified via email when the recipient's record access expires. Click **Done** to save.

Permissions and Option to Add Expiration

{% hint style="info" %} The recipient of a shared record with time-limited access may have "view" and "edit" permissions but will not be able to share the record. If "share" permissions are applied, the expiration will be removed. {% endhint %} ## Share a Folder Open the shared folder from your vault and click the **edit icon** and from the “Users” tab, add the user or team you would like to share the folder with.

Set their permissions and from the dropdown menu click **Set Expiration**, following the same steps you would for a single record share (described above).

Next, check the box if you would like users with "can manage records" permissions over the folder to be notified via email when the recipient's record access expires. Click **Done** to save.

{% hint style="info" %} The recipient of a shared folder with time-limited access may have "can manage records" permissions, but the ability to "manage users" is restricted. If these permissions are applied, the expiration will be removed. {% endhint %} ### Sharing PAM Resources When sharing access to PAM Resources (such as a Windows or Linux server), privileged sessions can be established to the target resource, without access to the credentials. When access is revoked, the session is terminated and session logs are created for the administrator.

For more information about PAM sessions and permissions, see the [KeeperPAM](https://app.gitbook.com/o/-LO5CAzoigGmCWBUbw9z/s/-MJXOXEifAmpyvNVL1to/) documentation. ### Time-Limited Access With Keeper Commander Manage time-limited access on records and folders programmatically using the Keeper Commander CLI and SDK. Relevant commands: * [`share-record`](https://docs.keeper.io/keeperpam/commander-cli/command-reference/sharing-commands#share-record-command) with `--expire-at` and `--expire-in` switches * [`share-folder`](https://docs.keeper.io/keeperpam/commander-cli/command-reference/sharing-commands#share-folder-command) with `--expire-at` and `--expire-in` switches For more information see our [Keeper Commander](https://docs.keeper.io/en/enterprise-guide/commander-cli) documentation.