Skip to main content

How time-based role assignments work

  • During PDR-initiated requests, the role assignment itself takes place immediately, however the individual entitlement assignments based on the roles definition will only be added during the validity window.

  • When a particular role assignment is considered active, rbacenforce applies entitlement assignment operations.

  • When a role assignment is considered inactive, rbacenforce removes the entitlements from the user's profile. The user retains the role membership itself (in inactive status).

For example time-based role assignment might process in the following way when a user requests a change in role membership:

  1. The user submits a request to update their role membership.

    The request includes a start and end date.

  2. The role assignment itself takes place immediately.

  3. When the role assignment becomes "active" and rbacenforce is run Bravura Security Fabric automatically submits additional requests to add the resource entitlements.

  4. When the role assignment becomes "inactive" and rbacenforce is run, Bravura Security Fabric : automatically removes the resource entitlements.

In this section: