# Time-Limited Access with Automated Credential Rotation

## Overview

Time-limited access allows administrators to share a PAM resource with a user for a defined period. When the access window expires, the user's access is removed and credentials are automatically rotated, ensuring they cannot be reused. All credential changes are recorded in a complete audit trail.

This approach ensures that every access window has a unique set of credentials, protecting against credential theft and maintaining compliance with credential rotation requirements.

**Key Features:**

* Automated credential rotation on-demand or on a scheduled basis
* Time-limited access window for authorized users
* Integration with password rotation policies
* Complete audit trail of credential changes

## Configuration

To provide time-limited access to a PAM User Record Type:

1. Open the PAM User Record type from the vault
2. Click on the Sharing button
3. Add the user as a share recipient, click on the share permissions dropdown and select **Set Expiration**.
4. The following fields are configurable

<table><thead><tr><th width="275.62890625">Field</th><th>Description</th></tr></thead><tbody><tr><td>Expiration</td><td>The duration of access granted to the user.</td></tr><tr><td>Access Expires</td><td>Displays the date and time when access will be revoked.</td></tr><tr><td>Rotate password upon expiration</td><td>When enabled, the credential is automatically rotated when the access window expires, ensuring it cannot be reused.</td></tr><tr><td>When access expires send an email to</td><td>Optionally sends an email notification when access expires. Can be configured to notify the record owner or another recipient.</td></tr></tbody></table>

5. Select the expiration time and enable "Rotate password upon expiration"

<figure><img src="/files/KlLH3JDeZa3pZrwRFyZN" alt=""><figcaption></figcaption></figure>

For more information see:

* [Time-Limited Access](https://docs.keeper.io/enterprise-guide/sharing/time-limited-access)
* [Password Rotation](https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/just-in-time-access-jit/time-limited-access-with-automated-credential-rotation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.