Using Sunrise and Sunset Dates for User Access

Even if a role itself does not need to be limited to a temporary duration, you may want to grant some users only temporary access to certain roles or entitlements. Note that while the sunrise and sunset dates for roles as described above apply to roles only, the sunrise and sunset dates you can set for individual users can apply to both roles and entitlements.

Enabling the Feature

To enable sunrise / sunset dates for individual user access:

  1. Click gear menu > Global Settings > IdentityIQ Configuration

  2. On the Roles tab:

    • In the Role Sunrise / Sunset Dates section, check the option to Enable Sunrise / Sunset Dates on Role Assignment

    • In the Business Processes section, select a business process for managing activation / deactivation in the Scheduled role / entitlement assignment drop down. A standard business process (Scheduled Assignment) is provided out of the box, but you can implement a custom business process if your business needs require one.

  3. Save your changes.

Using Sunrise and Sunset Dates in Access Requests

Once sunrise and sunset dates are enabled for role assignment, the access request UI will include a calendar widget for setting the start and end dates for the access. This widget is on the Review and Submit tab.

If your access request includes more than one item, you can set a single date range for the entire request, or individual date ranges for each role or entitlement in the request.

Click the calendar widget to set the dates for access.

You can also use the comments widget to add information about the request and why it is temporary. Be sure to Save your information.

For more information, see Managing User Access.

Using Sunrise and Sunset Dates in Access Approvals

Users responsible for approving a request for access can see any sunrise/sunset dates in a request item, and can change the dates as part of the approval process.

The calendar widget is green in any request item that includes sunrise and sunset dates, to alert the reviewer that there is a date range specified for the access.

The reviewer can click the calendar widget to see the sunrise and sunset dates. The reviewer can also modify the dates as needed in this dialog.

Extending Sunset Dates for Users

Once an access request with sunrise and sunset dates has been approved, the sunrise date can not be modified. However, the sunset date can be extended through a request to remove access.

To request an extension to the sunset date:

  1. From the Quicklink menu, select Manage User Access (for managers) or Manage My Access (for the individual user in question) to open the Manage Access UI.

  2. If required, select the user, and click Next.

  3. On the Manage Access tab, click the option to Remove Access.

  4. Find the role to be extended and click the x icon to select it.

  5. Click Next.

  6. On the Review and Submit tab, click the calendar icon.

  7. Choose the new Sunset date and click Save.

  8. Submit the request.

The request to extend the sunset date follows the same approval path as a request for access.

Viewing Temporary Access for Users

You can see when a user's access is temporary from the Manage Identity Quicklink menu, under View Identity or Edit Identity, in the Access page.

You can also see which access is temporary in Identities > Identity Warehouse, on the Entitlements tab for the user: