-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
time-bound access #145
Comments
Letting the user select an end date is already possible to the extent that they can choose for how long they want to activate a role (up to the maximum specified in Do you have a specific use case in mind for which a user would need to specify a start date too? There is one challenge with letting users set a future start date, expecially if it's more than a few hours in the future: Let's say it's Monday and Alice requests to activate a role for Friday, maybe because there's a maintenance window on Friday. Assuming she gets approval, JIT Access would then create a temporary role binding for the requested role with a condition that specifies that it's only valid on Friday. On Tuesday, Alice's manager decides that Alice should no longer be eligible for that role and removes her eligible role binding. But that doesn't have an effect on the temporary role binding -- so Alice will still get her access on Friday! I don't think it's necessarily a security issue, but it might be counter-intuitive. |
Hi, I understand what you mean, the approver must take that into consideration when approving :) The use case we see is, for example: A possible solution for this use case could be for the start time of the IAM condition be the approval date, and not the request date, but if Alice is not there the same thing could happen. So that's why if we have a start/end date, it can help both the requester and the approver. BR, |
Hi,
It would be great if it were possible to have time-bound access, with the user requesting access being able to select the start and end dates.
Many thanks!
The text was updated successfully, but these errors were encountered: