Configuring Session Access role

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 2 minutes de lecture

    • Configure Session Access to reduce user access in a session based on IP, location, Identity Provider attributes, and user attributes using adaptive authentication policies.

    Avant de commencer

    Role required: security_admin

    Remarque :
    • Session Access configurations can only be performed with security_admin role. You must elevate your role to security_admin.
    • Session Access doesn’t support integrations.
    • Session Access has no impact if the reduced or limited role isn’t assigned to a user. In this case, there are no changes to the logged in session. User will still continue to access the instance with their assigned privileges.
    • Session Access has no impact while the user is already logged in to the instance and simultaneously the admin configures the policy. The user has to log out from the session for the policy to be effective.
    • Session Access is enforced at the time of login. Any change in risk parameters during the session won’t result in reduced access. For example, a user switching from the corporate network to an untrusted network after establishing the session, won’t result in reduced access unless the user logs out and logs in again.
    • Session Access (Zero trust access - ZTA) feature, roles like snc_internal and snc_external cannot be removed.
    • Session Access (Zero trust access - ZTA) feature does not remove a role from the sys_user_has_role or the user group membership table. Based on the ZTA policy, it establishes the user session with reduced or limited roles.
    • The scripts running in the system context will not honor the ZTA session roles.

    Procédure

    1. Navigate to All > Zero Trust Access > Session Access Role Configurations.
    2. To create a Session Access role configuration, select New.
    3. On the form, fill the fields:
      Tableau 1. Session Access Role Configuration
      Field Description
      Name Name of the configuration
      Description Short description of the configuration.
      Policy Choose the adaptive authentication policy. Use the look-up icon to view the list of policy.
      Action Remove Roles or Limit to Roles.
      • Remove Roles: When the configured user logs in, the list of roles provided in the Role or Group List are removed for the session.
      • Limit To Roles: When the configured user logs in, only the selected roles are provided to the user and all other roles are removed for the session.
      Role List Choose roles from the Role List.
      Group List Choose the roles from the Group List that you want to remove or limit to the user.
    4. Select, Submit.

      The login for users based on the configured countries is as follows:

      • In Remove Roles, the users from the configured countries with the selected roles no longer have those roles for the session.
      • In Limit To Roles, the users from the configured countries with the selected roles only have those roles for the session.
      Configure Session Access Role

      To know more about how to remove or limit roles for a session explained with a sample use-case, see Tutorial: Use Zero Trust Access.