Skip to content

Time-Based Access

Time-Based Access in the IdentityIQ enhances start/end dates on access requests by allowing for the time of day as well as time zone. This feature helps organizations enforce least privilege principles, improve compliance with security policies, and reduce the risk of excessive or lingering access.

Administrators can define and enforce start and end dates, times, and time zone for Access Requests, as well as set maximum access request time for both roles and entitlements.

Configuring Time-Based Access for Roles and Entitlements

Administrators can enable time-based access for Access Requests and Approvals only if the Enable Start/End Dates & Time on Role and Entitlement Assignment option is enabled. When this feature is activated, users gain the ability to specify the precise start and end dates, times, and time zone for their Access Requests to an identity.

Follow the below steps to enable the time-based access configuration for roles:

  1. Navigate to Global Settings > IdentityIQ Configuration > Roles Tab.

  2. Select the Enable Start/End Dates & Times on Role and Entitlement Assignment checkbox.

  3. Select the Enable Time-Based Start/End Dates on Role and Entitlement Assignment checkbox.

  4. Save the changes.

Configuring Required End Date and Maximum Access Request Time for Entitlements

Entitlement owners may need to set required end date and time along with maximum access request time on Access Requests and Approvals for specific entitlements, so that users only have the access for as long as needed on sensitive applications.

The owners can configure the required end date and time and the maximum access request time on the Entitlement Catalog page. When enabled, this configuration will require an end date, time, and time zone on all Access Requests and Approvals for this entitlement. When requesting an entitlement, users are required to define an end date, time, and time zone, and approvers must validate the request, including the specified end date, time, and time zone.

Perform the following steps to enable required end date and maximum access request time while creating or editing entitlements:

Note

Before configuring required end date and maximum access request time for entitlements, ensure that the start and end dates and time on role and entitlements have been enabled. See Configure Time-Based Access for Roles and Entitlements for more details.

  1. Navigate to IdentityIQ > Applications > Entitlement Catalog.

  2. Select an existing entitlement that needs to be set with end date and maximum access request time. Or, select to add a new entitlement.
    See Standard Properties Tab and Adding or Editing Entitlement Parameters for more details on editing or adding an entitlement.

  3. Under Access Start/End Dates & Times section on the Edit Entitlement page, select Require End Dates & Times.

  4. Select Maximum Access Request Time.
    This selection specifies the maximum access request time a user can request for this entitlement. The duration of access is calculated by determining the difference between the requested end date and time and the start date and time. If no start date and time has been specified, the current time will be utilized. When enabled, it allows for the entitlement owner to specify this maximum access request time in dropdown. The options available are Hours, Days, Weeks, and Months.

    If maximum access request time is not set, the default duration is in days, and the default time is one day. If a user deletes the value in the time field and select save, an error message is displayed at the top of the page after load: “A maximum access time must be specified.”

  5. Save the changes.

Configuring Required End Date and Maximum Access Request Time for Roles

Role owners may need to set required end date and time along with maximum access request time on Access Requests and Approvals for specific roles, so that users only have the access for as long as needed on sensitive applications.

The owners can configure the required end date and time and the maximum access request time on the Role Editor page. When enabled, this configuration will require an end date, time, and time zone on all Access requests and Approvals for this role. When requesting a role, users are required to define an end date, time, and time zone, and approvers must validate the request, including the specified end date, time, and time zone.

Perform the following steps to enable required end date and maximum access request time while creating or editing roles:

Note

Before configuring required end date and maximum access request time for roles, ensure that the start and end dates and time on role and entitlements have been enabled. See Configure Time-Based Access for Roles and Entitlements for more details.

  1. Navigate to IdentityIQ > Setup > Roles.

  2. Select an existing role under Role Viewer > Role Navigation that needs to be set with end date and maximum access request time and then select Edit Role button. Or, select New Role button to add a new role. See Role Editor Page for more details on editing or adding a role.

  3. Under Access Start/End Dates & Times section on Role Editor page, select Require End Dates & Times.

  4. Select Maximum Access Request Time.
    This selection specifies the maximum access request time a user can request for this role. The duration of access is calculated by determining the difference between the requested end date and time and the start date and time. If no start date and time has been specified, the current time will be utilized. When enabled, it allows for the role owner to specify this maximum access request time in dropdown. The options available are Hours, Days, Weeks, and Months.

    If Maximum Access Time is not set, the default duration is in days, and the default time is one day. If a user deletes the value in the time field and select save, an error message is displayed at the top of the page after load: “A maximum access time must be specified.”

  5. Save the changes.

Setting Preferred Time Zone

Users can optionally configure their preferred time zone within their profile settings, which will then be used when requesting time-based access.

  1. Navigate to Profile > Preferences. The Edit Preferences screen displays.

  2. Select the required time zone under the Preferred Time Zone field.

  3. Save the changes.

Generating Time-Based Access Requests

The access request that includes a start / end date, time, and timezone is defined as a time-based access request. See Request Access for Others and Request Access for Yourself for details on generating time-based access requests.

Based on the configuration, users may have the option to set only the end date and time, and time zone.

If time-based access is enabled, but the start/end date and time, and time zone are not set before submitting the request, the calendar button will highlight in red, preventing submission of the request. Also, access cannot be granted for more than the configured maximum access request time duration.

Approving Time-Based Access Requests

Approvers have the option to edit the start and end date, time, and time zone while approving the time-based access requests. See Approving Access Requests for more details on an approver’s privileges.

Updating Date and Time for Roles and Entitlements in Identity Warehouse

Once an identity access request with a start and end date, time, and time zone has been approved, the entitlement or role is displayed for the identity within the Identity Warehouse. An administrator retains the ability to modify the start and end date, time, and time zone in the Identity Warehouse. See View Identity Page for more details on updating the access date and time for roles and entitlements in the Identity Warehouse.

Bulk Update Access Request for Roles and Entitlements

IIQ batch requests enable users to submit access requests for numerous identities simultaneously, bypassing the standard Lifecycle Management (LCM) workflow. This is achieved by uploading a .csv file containing details such as the identity, the roles and entitlements being requested, and an optional date, time, and time zone specifying when the access should be granted. See Batch Request to see more details on updating the access date and time for roles and entitlements in bulk.