Configuring the Approval Duration

When a user is granted access to a protected resource — whether through MFA verification, a written justification, or an approver — Keeper EPM automatically manages the lifetime of that access. Several different durations are at play, and this page explains each one, what it controls, and how to change it.

Duration Settings at a Glance

Setting

Default

What it controls

How to change

DurationMinutes (in GrantFileAccess job)

240 min (4 hrs)

How long approval-gated file access lasts

Update Jobs policy

DurationMinutes (in LaunchFileAccess job)

240 min (4 hrs)

How long MFA or justification-gated file access lasts

Update Jobs policy

approvalExpirationHours (keeperAgent plugin)

72 hrs

How long a pending approval request is valid before it expires

Update Settings policy

approvedRequestExpirationHours (keeperAgent plugin)

24 hrs

How long a granted approval can still be launched after it is approved

Update Settings policy

A note on MFA access duration: MFA is a gate — once the user passes it, the resulting file access window is governed by the same DurationMinutes setting as any other control type. There is no separate "MFA duration" setting; you adjust DurationMinutes in the LaunchFileAccess job to change how long MFA-verified file access lasts.

Understanding the Two File Access Jobs

File access can be granted through two different jobs depending on how the control is satisfied:

LaunchFileAccess — runs when a user satisfies an MFA or Justification control interactively. The DurationMinutes parameter in this job controls how long that session lasts.
GrantFileAccess — runs when an approver grants a request (the Approval control). The DurationMinutes parameter in this job controls how long the granted window lasts.

Both default to 240 minutes (4 hours). You can set them to different values if, for example, you want MFA-verified sessions to last 8 hours but approval-granted sessions to last only 2.

Part 1 – Changing the MFA / Justification File Access Duration

This configures DurationMinutes in the LaunchFileAccess job — the job that runs when a user satisfies an MFA or Justification control.

Navigate to Policies

In the Keeper Admin Console, go to Endpoint Privilege Manager → Policies and click Create Policy.

Fill in Basic Details

Policy Name — Something descriptive, such as File Access Duration – MFA (8 Hours)
Policy Type — Select any available type as a starting template (for example, Privilege Elevation)
Status — Set to Monitor to start; switch to Enforce once confirmed
Click Add Control and select at least one control, then set your User Groups and Machines targeting

Open Advanced Mode

At the bottom-left of the policy form, click the Advanced Mode link to open the JSON editor.

Replace the Policy JSON

Paste the following, replacing YOUR_DURATION_IN_MINUTES with your desired value (for example, 480 for 8 hours):

{
  "PolicyName": "File Access Duration – MFA (Custom)",
  "PolicyType": "JobUpdate",
  "Status": "on",
  "Extension": {
    "JobId": "LaunchFileAccess",
    "Action": "Update",
    "JobJson": "{\"id\":\"LaunchFileAccess\",\"name\":\"Launch File Access\",\"description\":\"Launches file access with a custom MFA/justification duration.\",\"enabled\":true,\"events\":[\"LaunchFileAccess\"],\"parameters\":[{\"name\":\"DurationMinutes\",\"type\":\"Number\",\"default\":YOUR_DURATION_IN_MINUTES}],\"tasks\":[{\"id\":\"grant-file-access\",\"executionType\":\"HTTP\",\"url\":\"/api/fileaccess/grant\",\"method\":\"POST\",\"body\":\"{\\\"filePath\\\":\\\"{FilePath}\\\",\\\"userIdentifier\\\":\\\"{UserIdentifier}\\\",\\\"userName\\\":\\\"{UserName}\\\",\\\"policyUid\\\":\\\"{PolicyUid}\\\",\\\"requestId\\\":\\\"{RequestId}\\\",\\\"durationMinutes\\\":{DurationMinutes}}\"}]}"
  }
}

Save & Deploy

Click Save. The updated job will be pushed to all targeted endpoints within approximately 30 minutes, or sooner if users trigger a Refresh Policies from the Keeper Agent system tray icon.

Part 2 – Changing the Approval-Gated File Access Duration

This configures DurationMinutes in the GrantFileAccess job — the job that runs when an approver grants a file access request.

Follow the same steps as Part 1, but use GrantFileAccess as the JobId in your JSON:

{
  "PolicyName": "File Access Duration – Approval (Custom)",
  "PolicyType": "JobUpdate",
  "Status": "on",
  "Extension": {
    "JobId": "GrantFileAccess",
    "Action": "Update",
    "JobJson": "{\"id\":\"GrantFileAccess\",\"name\":\"Grant File Access\",\"description\":\"Grants approved file access with a custom duration.\",\"enabled\":true,\"events\":[\"GrantFileAccess\"],\"parameters\":[{\"name\":\"DurationMinutes\",\"type\":\"Number\",\"default\":YOUR_DURATION_IN_MINUTES}],\"tasks\":[{\"id\":\"grant-access\",\"command\":\"KeeperFileAccessPolicyEnforcer\",\"arguments\":\"--operation=grant --filePath={FilePath} --userName={UserName} --duration={DurationMinutes}\",\"executionType\":\"Service\"}]}"
  }
}

Part 3 – Changing the Pending Approval Expiration

When a user submits a request for approval, that request is pending until an approver acts on it. If no action is taken within the configured window, the request automatically expires and the user must submit a new one.

This is controlled by the approvalExpirationHours setting in the keeperAgent plugin, using an Update Settings policy.

Navigate to Policies

Go to Endpoint Privilege Manager → Policies and click Create Policy.

Fill in Basic Details

Policy Name — For example, Approval Request Expiration – 48 Hours
Policy Type — Select any available type as a starting template
Status — Start with Monitor, then switch to Enforce
Add a control and set targeting as appropriate

Open Advanced Mode

Click the Advanced Mode link at the bottom-left.

Replace the Policy JSON

Replace YOUR_HOURS with the number of hours you want pending requests to remain valid (for example, 48). You can also adjust approvedRequestExpirationHours and historyRetentionDays at the same time — see the reference table below.

{
  "PolicyName": "Approval Request Expiration – Custom",
  "PolicyType": "SettingsUpdate",
  "Status": "on",
  "Extension": {
    "PluginName": "keeperAgent",
    "Action": "Update",
    "SettingsJson": "{\"approvalExpirationHours\":YOUR_HOURS,\"approvedRequestExpirationHours\":24,\"historyRetentionDays\":30,\"maxPayloadSizeBytes\":1048576,\"maxRequestItems\":20,\"maxHistoryItems\":20}"
  }
}

Important: The SettingsJson value replaces the entire keeperAgent plugin configuration. Include all settings you want, not just the one you are changing. The values shown above are the defaults for settings you are not modifying.

Save & Deploy

Click Save. The updated settings will be pushed to in-scope endpoints within approximately 30 minutes.

Part 4 – Changing the Approved Request Launch Window

Once an approver grants a request, the user receives a notification and can launch the approved action from the Keeper Agent. The approvedRequestExpirationHours setting controls how long that window stays open — if the user does not launch it in time, the approval lapses and a new request must be submitted.

Follow the same steps as Part 3, adjusting the approvedRequestExpirationHours value in the SettingsJson. For example, to extend the launch window to 48 hours:

"SettingsJson": "{\"approvalExpirationHours\":72,\"approvedRequestExpirationHours\":48,\"historyRetentionDays\":30,\"maxPayloadSizeBytes\":1048576,\"maxRequestItems\":20,\"maxHistoryItems\":20}"

References

Duration Reference Table

Value

Minutes

Hours

60

60 min

1 hour

120

120 min

2 hours

240

240 min

4 hours (default for file access)

480

480 min

8 hours

1440

1440 min

24 hours

For approval expiration (in hours):

Value

Duration

24

1 day

48

2 days

72

3 days (default for pending requests)

168

7 days

What about active grants? Changing any of these settings does not affect grants or approval windows that are already in progress. The new values apply only to new requests and grants created after the updated configuration reaches the endpoint.

PreviousBackup & Restore NextCrowdstrike Running Job

Last updated 12 days ago