Time-based role assignments
Time-based role assignments use the concept of a role validity window. The role assignment status is considered "active" or "inactive" determined by the start and end dates defined in the role validity window. Based on the role assignment status, the RBAC engine will automatically adjust the user's entitlements.
The following elements are used with time-based role assignments:
START_TIME The resource attribute that defines the start date for a role assignment.
END_TIME The resource attribute that defines the end date for a role assignment.
ROLE_VALIDITY The resource attribute group that includes START_TIME and END_TIME resource attributes.
The role validity window determines the role assignment's status. The role assignment is considered "active" during the dates specified, otherwise, it is considered "inactive".
When the start and end dates are not defined, the role assignment is considered "active" and the individual entitlements are applied immediately.
IGNORE_VALIDITY_WINDOW When enabled the role membership validity window will be ignored. -
This attribute allows for a manual override when a validity window is set by automation, based off some SoR attributes
RBACENFORCE When this boolean attribute is set to true, the user is included in the role enforcement jurisdiction. When a new user is created, or an access change request is issued for an existing user, the default value is true.
It is included in the RBACENFORCEATTR group.
RBACENFORCEATTR The attribute group used to place users in role-enforcement jurisdiction
Time-based role assignments work with the following components:
Components | Purpose |
|---|---|
View and update profile (IDR) module | Allows users to request changes to profile attributes or group membership. |
Workflow Manager Service | Handles requests to add or remove resources. The requests can be auto-approved or reviewed by authorizers. |
rbacenforce | The |