PAM is designed to manage sessions to devices, not to manage accesses to resources, like a shared network folder. So, this should have to be done through an RDP session from a jump server, as accessing a resource, cannot be monitored by PAM in any way. The items PAM is working with are the sessions, which can be recorded as well, but the access to a resource is not a known task for PAM. Therefore, in order to achieve it, an RDP session to an intermediate server has to be open to access the network resource having the session recording enabled. Anyway, the users will have access to the intermediate server desktop, just to access a network drive.