Using Start and End Dates for User Access

Even if a role itself does not need to be limited to a temporary duration, you may want to grant some users only temporary access to certain roles or entitlements. Note that while the start and end dates for roles as described above apply to roles only, the start and end dates you can set for individual users can apply to both roles and entitlements.

Enabling the Feature

To enable start / end dates for individual user access:

  1. Click gear menu > Global Settings > IdentityIQ Configuration

  2. On the Roles tab:

    • In the Role Start / End Dates section, check the option to Enable Start / End Dates on Role and Entitlement Assignment

    • In the Business Processes section, select a business process for managing activation / deactivation in the Scheduled Role / Entitlement Assignment drop down. A standard business process (Scheduled Assignment) is provided out of the box, but you can implement a custom business process if your business needs require one.

  3. Save your changes.

Using Start and End Dates in Access Requests

Once start and end dates are enabled for role assignment, the access request UI will include a calendar widget for setting the start and end dates for the access. This widget is on the Set Dates, Finalize and Submit tab.

If your access request includes more than one item, you can set the same start and end dates for the entire request in bulk, or individual start and end dates for each role or entitlement in the request.

Click the calendar widget to set the start and end dates for access.

You can also use the comments widget to add information about the request and why it is temporary. Be sure to Save your information.

For more information, see Managing User Access.

Using Start and End Dates in Access Approvals

Users responsible for approving a request for access can see any start / end dates in a request item, and can change the dates as part of the approval process.

The calender widget is green in any request item that includes a date (start date or end date, or both), to alert the reviewer that there is date(s) specified for the access. The widget is gray for the request items that does not include a date.

The reviewer can see the start / end dates on a request item card, if it were set during access request. Alternatively, the reviewer can click the calendar widget to see the start / end dates in a dialog and modify the dates as needed.

Change End Dates for Users

Once an access request with start and end dates has been approved, the start date can not be modified. However, the end date can be changed through a request to change access.

To request a change to the end date:

  1. From the Quicklink menu, select Manage User Access (for managers) or Manage My Access (for the individual user in question) to open the Manage Access UI.

  2. If required, select the user, and click Next.

  3. On the Manage Access tab, click the option to Remove or Change Access.

  4. Find the role to be extended and click the x icon to select it.

  5. Click Next.

  6. On the Set Dates, Finalize and Submit tab, click the calendar icon.

  7. Choose the new End date and click Save.

  8. Submit the request.

The request to extend the end date follows the same approval path as a request for access.

Viewing Temporary Access for Users

You can see when a user's access is temporary from the Manage Identity Quicklink menu, under View Identity or Edit Identity, in the Access page.

You can also see which access is temporary in Identities > Identity Warehouse, on the Entitlements tab for the user: