Using Sunrise and Sunset Dates in Roles
To make a role itself temporary (that is, so that any user's access granted by this role is temporary), you must first enable sunrise and sunset dates for roles globally, and choose a business process to manage the activation / deactivation request on the dates you set for the role. Once these global settings are enabled, you can set specific sunrise and sunset dates for any of your roles individually.
Enabling the Feature
To enable sunrise / sunset dates for roles:
-
Click gear menu > Global Settings > IdentityIQ Configuration
-
On the Roles tab:
-
In the Role Sunrise/Sunset Dates section, check the option to Enable Sunrise / Sunset Dates on Role Activation
-
In the Business Processes section, select a business process for managing activation/deactivation in the Scheduled role activation dropdown. A standard business process (Scheduled Role Activation) is provided out of the box, but you can implement a custom business process if your business needs require one.
-
-
Save your changes.
Setting Sunrise and Sunset Dates on Roles
Once the feature has been enabled, you can set sunrise and sunset dates for any of your roles:
-
Click Setup > Roles
-
If you're creating a new role, click New Role; if you are editing an existing role, choose the role from the Role Viewer and click Edit Role.
-
In the Role Editor, scroll to the Scheduled Events section. Note that you won't see this section unless you have enabled sunrise and sunset dates globally, as described above.
-
Click Add Event to add a date for Activation, and again to add a date for Deactivation. Save your date each time.
-
Submit your changes to the role. Now you will see your activate and deactivate dates for the role.
When a role has an activation date that is in the future, it is flagged in the Role Viewer. Roles with a future activation date are disabled and cannot be assigned to users until the activation date arrives.
How Assigning and De-Assigning Roles Works With Sunrise and Sunset Dates
When a role's sunrise date is in the future, it is disabled by default, and can not be assigned to users. However, IdentityIQ lets you implement business logic, using rules and business processes, to automate the assignment and de-assignment of roles according to their sunrise and sunset dates.
Assignment rules determine which users should be assigned a given role, allowing you to configure ahead of time which users should have the role once it becomes active.
Business processes perform the task of assigning roles to users when the roles become active, and de-assigning them when they become inactive. IdentityIQ provides an out-of-the-box Scheduled Activation business process for this purpose, and you can also develop your own custom business processes according to your business needs.
Sunset Notifications for Roles and Entitlements
You can send a notification to both the requestor and the requestee of the role or entitlement, when access is about to expire due to a sunset date.
To configure notifications:
-
Click the gear menu > Global Settings > IdentityIQ Configuration
-
Click the Roles tab
-
In the Role Sunrise/Sunset Dates section, use the Days before Sunset expiration to send notifications field to set when the notification is sent. To disable notifications, enter 0.
-
Save your changes.
-
Click the Mail Settings tab.
-
Scroll to the For notice of deprovisioning of sunsetted roles and entitlements field, and select an email template to use for notifications.
-
Save your changes.