# Configuring the Approval Duration When a user is granted access to a protected resource — whether through MFA verification, a written justification, or an approver — Keeper EPM automatically manages the lifetime of that access. Several different durations are at play, and this page explains each one, what it controls, and how to change it. ## Duration Settings at a Glance

Setting	Default	What it controls	How to change
`DurationMinutes` (in `GrantFileAccess` job)	240 min (4 hrs)	How long approval-gated file access lasts	Update Jobs policy
`DurationMinutes` (in `LaunchFileAccess` job)	240 min (4 hrs)	How long MFA or justification-gated file access lasts	Update Jobs policy
`approvalExpirationHours` (keeperAgent plugin)	72 hrs	How long a pending approval request is valid before it expires	Update Settings policy
`approvedRequestExpirationHours` (keeperAgent plugin)	24 hrs	How long a granted approval can still be launched after it is approved	Update Settings policy

> **A note on MFA access duration:** MFA is a *gate* — once the user passes it, the resulting file access window is governed by the same `DurationMinutes` setting as any other control type. There is no separate "MFA duration" setting; you adjust `DurationMinutes` in the `LaunchFileAccess` job to change how long MFA-verified file access lasts. ## Understanding the Two File Access Jobs File access can be granted through two different jobs depending on how the control is satisfied: * **`LaunchFileAccess`** — runs when a user satisfies an MFA or Justification control interactively. The `DurationMinutes` parameter in this job controls how long that session lasts. * **`GrantFileAccess`** — runs when an approver grants a request (the Approval control). The `DurationMinutes` parameter in this job controls how long the granted window lasts. Both default to **240 minutes (4 hours)**. You can set them to different values if, for example, you want MFA-verified sessions to last 8 hours but approval-granted sessions to last only 2. *** ### Part 1 – Changing the MFA / Justification File Access Duration This configures `DurationMinutes` in the `LaunchFileAccess` job — the job that runs when a user satisfies an MFA or Justification control. {% stepper %} {% step %} **Navigate to Policies** In the Keeper Admin Console, go to **Endpoint Privilege Manager → Policies** and click **Create Policy**. {% endstep %} {% step %} **Fill in Basic Details** * **Policy Name** — Something descriptive, such as `File Access Duration – MFA (8 Hours)` * **Policy Type** — Select any available type as a starting template (for example, **Privilege Elevation**) * **Status** — Set to **Monitor** to start; switch to **Enforce** once confirmed * Click **Add Control** and select at least one control, then set your **User Groups** and **Machines** targeting {% endstep %} {% step %} **Open Advanced Mode** At the bottom-left of the policy form, click the **Advanced Mode** link to open the JSON editor. {% endstep %} {% step %} **Replace the Policy JSON** Paste the following, replacing `YOUR_DURATION_IN_MINUTES` with your desired value (for example, `480` for 8 hours): ```json { "PolicyName": "File Access Duration – MFA (Custom)", "PolicyType": "JobUpdate", "Status": "on", "Extension": { "JobId": "LaunchFileAccess", "Action": "Update", "JobJson": "{\"id\":\"LaunchFileAccess\",\"name\":\"Launch File Access\",\"description\":\"Launches file access with a custom MFA/justification duration.\",\"enabled\":true,\"events\":[\"LaunchFileAccess\"],\"parameters\":[{\"name\":\"DurationMinutes\",\"type\":\"Number\",\"default\":YOUR_DURATION_IN_MINUTES}],\"tasks\":[{\"id\":\"grant-file-access\",\"executionType\":\"HTTP\",\"url\":\"/api/fileaccess/grant\",\"method\":\"POST\",\"body\":\"{\\\"filePath\\\":\\\"{FilePath}\\\",\\\"userIdentifier\\\":\\\"{UserIdentifier}\\\",\\\"userName\\\":\\\"{UserName}\\\",\\\"policyUid\\\":\\\"{PolicyUid}\\\",\\\"requestId\\\":\\\"{RequestId}\\\",\\\"durationMinutes\\\":{DurationMinutes}}\"}]}" } } ``` {% endstep %} {% step %} **Save & Deploy** Click **Save**. The updated job will be pushed to all targeted endpoints within approximately **30 minutes**, or sooner if users trigger a **Refresh Policies** from the Keeper Agent system tray icon. {% endstep %} {% endstepper %} ### Part 2 – Changing the Approval-Gated File Access Duration This configures `DurationMinutes` in the `GrantFileAccess` job — the job that runs when an approver grants a file access request. Follow the same steps as Part 1, but use `GrantFileAccess` as the `JobId` in your JSON: ```json { "PolicyName": "File Access Duration – Approval (Custom)", "PolicyType": "JobUpdate", "Status": "on", "Extension": { "JobId": "GrantFileAccess", "Action": "Update", "JobJson": "{\"id\":\"GrantFileAccess\",\"name\":\"Grant File Access\",\"description\":\"Grants approved file access with a custom duration.\",\"enabled\":true,\"events\":[\"GrantFileAccess\"],\"parameters\":[{\"name\":\"DurationMinutes\",\"type\":\"Number\",\"default\":YOUR_DURATION_IN_MINUTES}],\"tasks\":[{\"id\":\"grant-access\",\"command\":\"KeeperFileAccessPolicyEnforcer\",\"arguments\":\"--operation=grant --filePath={FilePath} --userName={UserName} --duration={DurationMinutes}\",\"executionType\":\"Service\"}]}" } } ``` ### Part 3 – Changing the Pending Approval Expiration When a user submits a request for approval, that request is pending until an approver acts on it. If no action is taken within the configured window, the request automatically expires and the user must submit a new one. This is controlled by the **`approvalExpirationHours`** setting in the **keeperAgent** plugin, using an **Update Settings** policy. {% stepper %} {% step %} **Navigate to Policies** Go to **Endpoint Privilege Manager → Policies** and click **Create Policy**. {% endstep %} {% step %} **Fill in Basic Details** * **Policy Name** — For example, `Approval Request Expiration – 48 Hours` * **Policy Type** — Select any available type as a starting template * **Status** — Start with **Monitor**, then switch to **Enforce** * Add a control and set targeting as appropriate {% endstep %} {% step %} **Open Advanced Mode** Click the **Advanced Mode** link at the bottom-left. {% endstep %} {% step %} **Replace the Policy JSON** Replace `YOUR_HOURS` with the number of hours you want pending requests to remain valid (for example, `48`). You can also adjust `approvedRequestExpirationHours` and `historyRetentionDays` at the same time — see the reference table below. ```json { "PolicyName": "Approval Request Expiration – Custom", "PolicyType": "SettingsUpdate", "Status": "on", "Extension": { "PluginName": "keeperAgent", "Action": "Update", "SettingsJson": "{\"approvalExpirationHours\":YOUR_HOURS,\"approvedRequestExpirationHours\":24,\"historyRetentionDays\":30,\"maxPayloadSizeBytes\":1048576,\"maxRequestItems\":20,\"maxHistoryItems\":20}" } } ``` > **Important:** The `SettingsJson` value replaces the **entire** keeperAgent plugin configuration. Include all settings you want, not just the one you are changing. The values shown above are the defaults for settings you are not modifying. > {% endstep %} {% step %} **Save & Deploy** Click **Save**. The updated settings will be pushed to in-scope endpoints within approximately **30 minutes**. {% endstep %} {% endstepper %} ### Part 4 – Changing the Approved Request Launch Window Once an approver grants a request, the user receives a notification and can launch the approved action from the Keeper Agent. The **`approvedRequestExpirationHours`** setting controls how long that window stays open — if the user does not launch it in time, the approval lapses and a new request must be submitted. Follow the same steps as Part 3, adjusting the `approvedRequestExpirationHours` value in the `SettingsJson`. For example, to extend the launch window to 48 hours: ```json "SettingsJson": "{\"approvalExpirationHours\":72,\"approvedRequestExpirationHours\":48,\"historyRetentionDays\":30,\"maxPayloadSizeBytes\":1048576,\"maxRequestItems\":20,\"maxHistoryItems\":20}" ``` *** ## References #### Duration Reference Table

Value	Minutes	Hours
`60`	60 min	1 hour
`120`	120 min	2 hours
`240`	240 min	4 hours (default for file access)
`480`	480 min	8 hours
`1440`	1440 min	24 hours

### For approval expiration (in hours):

Value	Duration
`24`	1 day
`48`	2 days
`72`	3 days (default for pending requests)
`168`	7 days

> **What about active grants?** Changing any of these settings does not affect grants or approval windows that are already in progress. The new values apply only to new requests and grants created after the updated configuration reaches the endpoint. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/user-guides/configuring-the-approval-duration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.