Skip to content

Using Start and End Dates for Temporary Access

"Start" and "end" dates are used to make roles and entitlements temporary – they determine when a role (or an individual user's access to a role or an entitlement) becomes active, and when it becomes inactive.

This feature offers an efficient, automated way to grant time-limited access to sensitive roles, roles that are seasonal or temporary, or access that for any reason is intended to have a limited duration, such as a short-term assignment to a different team or a special project.

IdentityIQ gives you two ways to use start and end dates:

  • On roles themselves, so that the role itself has a temporary duration.

  • When a role or entitlement is granted to a specific user; in other words, the role itself may not have time limits, but a certain user's access to that role should have a limited duration.

Using Start and End Dates in Roles

To make a role itself temporary (that is, so that any user's access granted by this role is temporary), you must first enable start and end dates for roles globally, and choose a business process to manage the activation / deactivation request on the dates you set for the role. Once these global settings are enabled, you can set specific start and end dates for any of your roles individually.

Enabling the Feature

To enable start / end dates for roles:

  1. Click gear menu > Global Settings > IdentityIQ Configuration

  2. On the Roles tab:

    • In the Role Start/End Dates section, check the option to Enable Activation/Deactivation on Roles

    • In the Business Processes section, select a business process for managing activation/deactivation in the Scheduled role activation dropdown. A standard business process (Scheduled Role Activation) is provided out of the box, but you can implement a custom business process if your business needs require one.

  3. Save your changes.

Setting Start and End Dates on Roles

Once the feature has been enabled, you can set start and end dates for any of your roles:

  1. Click Setup > Roles

  2. If you're creating a new role, click New Role; if you are editing an existing role, choose the role from the Role Viewer and click Edit Role.

  3. In the Role Editor, scroll to the Scheduled Events section. Note that you won't see this section unless you have enabled start and end dates globally, as described above.

  4. Click Add Event to add a date for Activation, and again to add a date for Deactivation. Save your date each time.

  5. Submit your changes to the role. Now you will see your activate and deactivate dates for the role.

When a role has an activation date that is in the future, it is flagged in the Role Viewer. Roles with a future activation date are disabled and cannot be assigned to users until the activation date arrives.

How Assigning and De-Assigning Roles Works With Start and End Dates

When a role's start date is in the future, it is disabled by default, and can not be assigned to users. However, IdentityIQ lets you implement business logic, using rules and business processes, to automate the assignment and de-assignment of roles according to their start and end dates.

Assignment rules determine which users should be assigned a given role, allowing you to configure ahead of time which users should have the role once it becomes active.

Business processes perform the task of assigning roles to users when the roles become active, and de-assigning them when they become inactive. IdentityIQ provides an out-of-the-box Scheduled Activation business process for this purpose, and you can also develop your own custom business processes according to your business needs.

End Date Notifications for Roles and Entitlements

You can send a notification to both the requestor and the requestee of the role or entitlement, when access is about to expire due to an end date.

To configure notifications:

  1. Click the gear menu > Global Settings > IdentityIQ Configuration

  2. Click the Roles tab

  3. In the Role Start/End Dates section, use the Days before End Date expiration to send notification field to set when the notification is sent. To disable notifications, enter 0.

  4. Save your changes.

  5. Click the Notification Settings tab.

  6. Scroll to the For notice of deprovisioning of roles and entitlements with an End Date field, and select an email template to use for notifications.

  7. Save your changes.

Using Start and End Dates for User Access

Even if a role itself does not need to be limited to a temporary duration, you may want to grant some users only temporary access to certain roles or entitlements. Note that while the start and end dates for roles as described above apply to roles only, the start and end dates you can set for individual users can apply to both roles and entitlements.

Enabling the Feature

To enable start / end dates for individual user access:

  1. Click gear menu > Global Settings > IdentityIQ Configuration

  2. On the Roles tab:

    • In the Role Start / End Dates section, check the option to Enable Start / End Dates on Role and Entitlement Assignment

    • In the Business Processes section, select a business process for managing activation / deactivation in the Scheduled Role / Entitlement Assignment drop down. A standard business process (Scheduled Assignment) is provided out of the box, but you can implement a custom business process if your business needs require one.

  3. Save your changes.

Using Start and End Dates in Access Requests

Once start and end dates are enabled for role assignment, the access request UI will include a calendar widget for setting the start and end dates for the access. This widget is on the Set Dates, Finalize and Submit tab.

If your access request includes more than one item, you can set the same start and end dates for the entire request in bulk, or individual start and end dates for each role or entitlement in the request.

Click the calendar widget to set the start and end dates for access.

You can also use the comments widget to add information about the request and why it is temporary. Be sure to Save your information.

For more information, see Managing User Access.

Using Start and End Dates in Access Approvals

Users responsible for approving a request for access can see any start / end dates in a request item, and can change the dates as part of the approval process.

The calender widget is green in any request item that includes a date (start date or end date, or both), to alert the reviewer that there is date(s) specified for the access. The widget is gray for the request items that does not include a date.

The reviewer can see the start / end dates on a request item card, if it were set during access request. Alternatively, the reviewer can click the calendar widget to see the start / end dates in a dialog and modify the dates as needed.

Change End Dates for Users

Once an access request with start and end dates has been approved, the start date can not be modified. However, the end date can be changed through a request to change access.

To request a change to the end date:

  1. From the Quicklink menu, select Manage User Access (for managers) or Manage My Access (for the individual user in question) to open the Manage Access UI.

  2. If required, select the user, and click Next.

  3. On the Manage Access tab, click the option to Remove or Change Access.

  4. Find the role to be extended and click the x icon to select it.

  5. Click Next.

  6. On the Set Dates, Finalize and Submit tab, click the calendar icon.

  7. Choose the new End date and click Save.

  8. Submit the request.

The request to extend the end date follows the same approval path as a request for access.

Viewing Temporary Access for Users

You can see when a user's access is temporary from the Manage Identity Quicklink menu, under View Identity or Edit Identity, in the Access page.

You can also see which access is temporary in Identities > Identity Warehouse, on the Entitlements tab for the user: