Time-Limited Admin / Impersonation Access via Catalog Item + Flow Designer.

Vani Kusumba · yesterday

Business requirement

Grant Admin / Impersonation role to a user for a fixed 2-hour window when requested; role must be automatically revoked at the end of the window.

Step 1: Create the Catalog Item — “Request Time-Limited Role Access”

I started by creating a new catalog item named “Request Time-Limited Role Access.”
This catalog item allows users to request temporary elevated privileges, such as Admin or Impersonation roles, for a limited duration (in this case, two hours).

Within the catalog item, I configured the following variables:

Requested By – This field is automatically populated with the currently logged-in user.
Access Type – A choice field labeled “Please select the type of access you require”.
- The dropdown options include roles like Admin Access or Impersonation Access.
- Based on the user’s selection, the corresponding role will later be assigned through the Flow Designer.
Reason for Access – A multi-line text field where the requester provides the business justification or purpose for requesting temporary access.

Step 2: Configure the Flow Designer to Automate Role Assignment and Revocation

After creating the catalog item, I configured a Flow Designer flow to automate the process of granting and revoking time-limited access.

Flow Details

Trigger
- The flow is triggered “When a Service Catalog Request Item is created.”
Record Creation in sys_user_has_role_time_limited
- Once the request is submitted, the flow creates a new record in the sys_user_has_role_time_limited table.
- The record captures details such as:
  - User: The “Requested By” user from the catalog form.
  - Role: The role selected in the Access Type field (e.g., Admin or Impersonation).
  - Start Time: The exact time the request was submitted (current time).
  - End Time: Automatically calculated as Start Time + 2 hours, ensuring the access remains valid only for a fixed duration.
  - Reason: Captured from the catalog form for audit purposes.
Granting the Role
- Immediately after creating the record, the flow grants the selected role to the specified user by inserting a corresponding entry into the 'sys_user_has_role_time_limited' table.
Timed Wait / Delay
- The flow then includes a “Wait” action that pauses execution until the End Time is reached.
- This ensures that the role remains active only for the specified duration.
Automatic Role Revocation
- Once the 2-hour window expires, the flow automatically revokes the the assigned role.

This automated flow ensures that temporary access is granted securely and revoked promptly without any manual intervention, maintaining strict access control and compliance.

Dr Atul G- LNG · yesterday

Hi @Vani Kusumba

I went through the thread, and I think what you are doing may not be fully valid. However, since it is a business need, I recommend that as BPC, you add an approval step in the flow. This way, the role will be added only after approval. Additionally, create a new user to handle this automation work.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************