Hello,
While exploring Washington release features, came across new module added under User Administration application menu named "Time-Limited User Role".
This feature adds in house OOTB capability within the platform to grant temporary permission to users and auto revoke it as well once the role permission window ends. This has been a common use case where customers have built logic integrated with external applications like IAM for example or built an custom solution within the platform as well. With addition of this capability, this can be easily achieved using bare minimum configurations with no code.
How Does this Feature Work?
1. Users with role as "admin" or "user_admin" will be able to access module named "Time-Limited User Roles" under User Administration application menu as shown below:
2. This will open the list view for defining configurations for temporary role allocation, click on New and fill out the key attributes as mentioned below:
Active, Role, User, Start Time and End Time
3. Once the record is saved, target user will need to logout and login again for the access to work correctly for the time frame allocated. OOTB a info message is displayed to the user with the role and all inherited role coming as part of it granted for limited time as shown below:
Technical Components:
There is not much info which I found on the platform for this feature, though would cover some of the backend components on how these are tied to this:
| Component Type | Component Name | Additional Details |
| Module | Time-Limited User Role | Available only for users with admin or user_admin role. |
| Table | Time-Limited User Role (sys_user_has_role_time_limited) | New table added to platform |
| Business Rule | time-limited roles 2 weeks limit | OOTB rule available which by default allows only 2 weeks of role grant access by comparing start and end time selected on the record.
Note: Platform does allow you to select an end date which is less than your start date, you can still save the form. But access is not granted for this odd scenario which is good. THis BR only checks fir future date to see if time difference is of 2 weeks or not before aborting the form submission. |
| Security Policies | Create Access | User admin rights required and the role which logged in user is trying to grant to user selected on the form is checked using protected "RoleManagementAPI" if they are allowed or not. |
| Read Access | Users with below roles are allowed to read from this table: 1. ITIL 2. user_admin 3. role_delegator | |
| Delete Access | Same as Create access mentioned above | |
| Report Access | Only available with admins | |
| Related List | Time Limited User Roles | Not available by default on user record but can be added using Configure >> Related List option |
I have seen couple of post in Community forum for the discussion on the same topic, just wanted to share the way I explored. Hope this helps.
