time-bound access #145
Comments
|
Letting the user select an end date is already possible to the extent that they can choose for how long they want to activate a role (up to the maximum specified in
Do you have a specific use case in mind for which a user would need to specify a start date too? There is one challenge with letting users set a future start date, expecially if it's more than a few hours in the future: Let's say it's Monday and Alice requests to activate a role for Friday, maybe because there's a maintenance window on Friday. Assuming she gets approval, JIT Access would then create a temporary role binding for the requested role with a condition that specifies that it's only valid on Friday. On Tuesday, Alice's manager decides that Alice should no longer be eligible for that role and removes her eligible role binding. But that doesn't have an effect on the temporary role binding -- so Alice will still get her access on Friday! I don't think it's necessarily a security issue, but it might be counter-intuitive. |
Hi, I understand what you mean, the approver must take that into consideration when approving :) The use case we see is, for example: A possible solution for this use case could be for the start time of the IAM condition be the approval date, and not the request date, but if Alice is not there the same thing could happen. So that's why if we have a start/end date, it can help both the requester and the approver. BR, |
Hi,
It would be great if it were possible to have time-bound access, with the user requesting access being able to select the start and end dates.
Many thanks!
The text was updated successfully, but these errors were encountered: