Time-Limited Admin / Impersonation Access via Catalog Item + Flow Designer.

Vani Kusumba
Tera Contributor

yesterday - last edited yesterday

Business requirement

 

Grant Admin / Impersonation role to a user for a fixed 2-hour window when requested; role must be automatically revoked at the end of the window.

 

Step 1: Create the Catalog Item — “Request Time-Limited Role Access”

 

I started by creating a new catalog item named “Request Time-Limited Role Access.”
This catalog item allows users to request temporary elevated privileges, such as Admin or Impersonation roles, for a limited duration (in this case, two hours).

Within the catalog item, I configured the following variables:

  1. Requested By – This field is automatically populated with the currently logged-in user.

  2. Access Type – A choice field labeled “Please select the type of access you require”.

    • The dropdown options include roles like Admin Access or Impersonation Access.

    • Based on the user’s selection, the corresponding role will later be assigned through the Flow Designer.

  3. Reason for Access – A multi-line text field where the requester provides the business justification or purpose for requesting temporary access.

VaniKusumba_0-1761652194506.png

 

Step 2: Configure the Flow Designer to Automate Role Assignment and Revocation

 

After creating the catalog item, I configured a Flow Designer flow to automate the process of granting and revoking time-limited access.

 

Flow Details

 

  1. Trigger

    • The flow is triggered “When a Service Catalog Request Item is created.”

  2. Record Creation in sys_user_has_role_time_limited

    • Once the request is submitted, the flow creates a new record in the sys_user_has_role_time_limited table.

    • The record captures details such as:

      • User: The “Requested By” user from the catalog form.

      • Role: The role selected in the Access Type field (e.g., Admin or Impersonation).

      • Start Time: The exact time the request was submitted (current time).

      • End Time: Automatically calculated as Start Time + 2 hours, ensuring the access remains valid only for a fixed duration.

      • Reason: Captured from the catalog form for audit purposes.

  3. Granting the Role

    • Immediately after creating the record, the flow grants the selected role to the specified user by inserting a corresponding entry into the 'sys_user_has_role_time_limited' table.

  4. Timed Wait / Delay

    • The flow then includes a “Wait” action that pauses execution until the End Time is reached.

    • This ensures that the role remains active only for the specified duration.

  5. Automatic Role Revocation

    • Once the 2-hour window expires, the flow automatically revokes the the assigned role.

       

VaniKusumba_3-1761655794067.png

 

VaniKusumba_0-1761655487798.png

 

This automated flow ensures that temporary access is granted securely and revoked promptly without any manual intervention, maintaining strict access control and compliance.

  • 187 Views
5 REPLIES 5

Ankur Bawiskar
Tera Patron
Tera Patron

yesterday

@Vani Kusumba 

There is already OOTB feature starting from Washington "Time Limited User Role"

Any reason to build a custom solution when there is something available OOTB for this?

check these links

Washington's Time-Limited User Roles 

All things about time limited user role 

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Vani Kusumba
Tera Contributor
In response to Ankur Bawiskar

yesterday - last edited yesterday

Hi @Ankur Bawiskar 

 

The OOTB feature is managed by admins and used for manually giving roles for a limited time.
In my custom solution, users can request temporary roles through a catalog item, and everything happens automatically — including role assignment with a time limit and automatic removal once the duration ends

 

Thanks & regards,

Vani

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to Vani Kusumba

yesterday

@Vani Kusumba 

wouldn't this custom solution require maintenance over period of time?

Also what if an end user requests admin role request and since your custom solution doesn't have approval, it would end up giving admin role to end user which is dangerous in PROD instance.

The OOTB feature can be controlled only by admins making it more secure and you can get future enhancements/features if ServiceNow introduces new thing in this.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Vani Kusumba
Tera Contributor
In response to Ankur Bawiskar

yesterday

@Ankur Bawiskar 

 

That’s a valid point — however, in our setup, this catalog item isn’t visible to end users.
We’ve restricted its visibility using the “Available For” condition, so only specific users (as defined by the client) can access and submit this request.


This ensures that only authorized users can request time-limited admin/impersonation access, keeping it secure even in the PROD environment.

 

Thanks & regards,

Vani