Enhancement: Mandatory End Date and Max Duration on Access Requests

This enhancement is brought to you by Idea GOV-I-1764

Description

We are pleased to announce the release of two new configuration options to help your organization manage your least privilege requirements: mandatory end dates and max duration.

The Details

Configuration

On a per-requestable-item basis, admins can now configure end date requirements for access requests. You can specify when end dates are mandatory, as well as the maximum allowable time period a user can request access for.

At the time of request, the Request Center will enforce these requirements, prompting the requester to provide an end date for the access and, per the configuration, constraining the allowed date/time that can be specified.

That’s right – time! You can specify a max duration of hours, days, weeks, or months. And for cases where a date is required but hard enforcement of a specific duration is not possible, you can omit max duration and leave it to your approvers to determine if the entered end date is appropriate for the specific user.

End Date1828×1158 154 KB

Important notes:

• Particularly when specifying max durations in units of hours, you should take into account that durations are enforced from the moment of request, and any required approvals will consume some of that duration.
• Max durations will not be applied to existing assignments. However, any future changes to existing assignment dates will have to comply with the max duration.
  • Example: Bob has access to entitlement X expiring in 45 days. The admin adds a max-duration requirement to entitlement X of 30 days. If Bob tries to extend his access on the last day (45 days from now), he would be able to request another 30 days. But if he tries to extend his access today, he would only be eligible to shorten his access (to 30 days from now), since his current access is not in compliance with the new requirements.

Enforcement in Access Requests

At the time of request, the requester will be able to select any end date and time for the revocation that complies with the defined requirements, if any. The page will default the time zone to the requester’s browser time zone, but they have the ability to override that if they prefer to specify the revocation time in another time-zone context.

To simplify the user experience, we have merged the end date and comments fields onto one overlay so users can provide any or all required values at the same time.

Edit Request Details2774×1836 357 KB

Note: Requesters don’t need to shift time zones for the benefit of the requestee or approver – the UI will automatically display the end time in the viewer’s browser time zone on pages like the approval page or the My Access page.

Date Changes

Assignment end dates can be altered as needed after the access has been provisioned.

• Users can request a new end date (extension or shortening) for themselves on the My Access page.
• Managers can request end date changes on the My Team page.
• Admins and Access Revokers can adjust end dates on the Admin > Identities > Access page.

All date-change requests must also comply with any specified end date / max duration requirements, enforced from the moment of the date-change request.

In addition, these UI pages also now support the ability to add an end date where one was not previously requested or to remove an end date where one was previously applied. All date change requests will go through the configured approvals before being applied.

Approval Adjustment

We have made a couple of adjustments to the approval flows for date changes.

1. We made it more obvious to the approver that they are approving a date change, not a new access request. They’ll now see a Modify operation as well as a marker on the approval card that shows it is an Access Date Change approval, and the prior end date will be shown alongside the new end date.
2. Until now, any date change always went through approval as if it were an add-access operation. When a user has requested to shorten access (adding an end date where one did not previously exist or moving an end date earlier), we will now apply the revocation approval requirements configured for the item. If you have not configured the separate revocation approval requirements, that will mean no approval is required for the early release of access.

Date Change through Re-Request

As before, users can also request an access date change by submitting a new request for the access with a different end date through the Request Center. Since Request Center is not contextually aware of existing assignments, all requests submitted this way – even those that shorten the duration – will be processed under the add-access approval flow, but the approver will still see that the request is for a date change and will see both the old and new end dates in the approval details.

Workflow and API Enforcement

To support continuity for automated processes that may not be aware of these new configurations and to proactively enforce them, we have implemented backend guardrails to avoid failing requests that are missing required end dates.

1. For items with a configured max duration: Any workflow or API submitted request which contains no end date will automatically be amended to include an end date that corresponds to the configured max duration. We won’t be changing submitted end dates, so requests submitted with an end date that violates the max duration will fail validation.
2. For items with a mandatory end date but no max duration: We are adding a fallback duration attribute (fallbackAccessDurationInDays) in the access-request-config that admins can use to define a duration to use. Until you configure your own chosen value, ISC will fail requests that don’t supply an end date when one is required.

In both of these cases, the audit record for the Access Request Started event will indicate that the end date was automatically constrained either by the fallback duration or the max duration on the item.

These fallback behaviors will not apply for requests submitted through the Request Center UI, as that flow will directly enforce all date constraint requirements at the time of submission.

Who is affected?

This is being rolled out to all Suites customers.

Action Required

Administrators for organizations that heavily rely on workflows or API-submitted access requests should set the fallback duration value in the access-request-config to your organization’s preferred value.

Then, for any item where you want to enforce mandatory end dates or max duration, you need only set up the requirements per item. Navigate to Admin > Access Model > Roles | Access Profiles | Entitlements > edit the item > Access Requests. Then select Require End Date and choose a max duration if needed.

Important Dates

Sandbox rollout: week of Jan 12, 2026

Production rollout: week of Jan 26, 2026 * < Update: due to procedural issues that resulted in an end-of-week sandbox rollout, we are delaying prod rollout 1 week to give customers time to explore the new functionality in pre-prod environments. This is the new rollout timeframe.

Very excited to have this!

Hey @jennifer_mitchell

This is a great enhancement. Mandatory end date + max duration closes a long-standing gap for least-privilege and time-boxed access.

I’ m assumiong for anyone enabling it: if have API/workflow-submitted requests, set a fallback duration first (in access-request-config) so automation doesn’t fail when an end date isn’t provided.

Also worth noting max duration is counted from request submission time, so approval time can reduce the effective window.

I hope i am corret in noting this

Thanks for shipping this

Interesting to know this feature

Great news that this functionality is finally coming to ISC. This is something that in past roles we would rack our brains on how we could do this on the platform.

Great to see this arrive!

Can you clarify if this will be possible to configure for Access Profiles as well as Entitlements?

Responding to some clarifying questions above:

Can you clarify if this will be possible to configure for Access Profiles as well as Entitlements?

It is configurable for roles, access profiles, and entitlements. It applies only on the item for which it is configured, so if you configure it on an access profile but then someone requests one of the entitlements that access profile contains, it would not apply. Likewise, entitlement configurations do not roll up to constrain access profiles or roles that contain them.

I’m assuming for anyone enabling it: if have API/workflow-submitted requests, set a fallback duration first (in access-request-config) so automation doesn’t fail when an end date isn’t provided.

This is correct. Keep in mind, however, that if your workflow is setting a date that violates your max duration, you need to update your workflow. Those requests would still fail. We won’t be changing submitted durations, only adding one where required and not supplied.

Also worth noting max duration is counted from request submission time, so approval time can reduce the effective window.

Correct.

Amazing! Thank you for getting this to production @jennifer_mitchell Now I can decommission this clumsy workflow

Thank you @jennifer_mitchell

That is well informed and noted

Much appreciated

Hi @jennifer_mitchell, this enhancement is a big step towards JIT access. Thank you

One curious question:

Are there any future plans to support a model where **approved access is “parked” and can be checked out / activated on demand for a short duration (similar to max duration configuration)?

This would reduce standing access while avoiding repeated approval requests for the same access item and align closely with Just-in-Time access patterns seen in PAM and other enterprise tools.

Thanks,
Amar

Yes, we have another team working on “Just in time provisioning” that will support activate/deactivate of access (for hours) when the user is effectively pre-authorized to do that activation themselves whenever they need it. This pre-authorization can also be encompassed in a time-constrained assignment, so the two offerings will work together.

Do you envision JIT access being available Q1 or Q2 this year?

Hello, and thank you for this expected feature.

According to the schedule, the sandbox deployment was planned for this week, but I don’t see anything yet. Has it been postponed? If so, what is the new expected date?

Thank you very much

Thanks for checking in on status.

We ran into some procedural hurdles that we are almost past. We still expect to enable today in Sandbox orgs, but since we are doing this so late in the week, we will be moving the production deployment out a week to give you time to explore the new functionality in pre-prod environments. I’ll update the announcement and post another comment here when all that has settled out.

To all watchers of this announcement:

The Mandatory End Date / Max Duration feature has now been enabled in all Suites customers’ sandbox tenants. Because it took us a few days longer than we originally hoped to get it enabled there, we are going to hold off production enablement until the week of Jan 26, to give you a little time to explore the feature in sandbox and update any internal documentation you need to adjust.

Thank you for your interest and patience. Let me know if you have any further questions that aren’t covered in this announcement!

(And before you even ask: Start date is next in queue for expanding on time-bound access.)

I do not own that feature, but my understanding is that, yes, it is targeted for delivery in the first half of 2026. (I presume that was a yes/no not an either/or question )

This is great feature addition that is much needed, glad to see it rolled out. However, I think the UI screens need some work. I have been noticing an uptick of accidently end dating on access requests for end users - and after checking out the experience for myself I can totally see why.

This is what a user is looking at in the browser, the description of relevant information is truncating with no way to see it, and the label of “end date and time” while descriptive in our world does not necessarily translate well to end users I think either flavor text below the label such as (access will be revoked at this date/time if entered) or improving the truncation above would go far in preventing all the additional admin work my helpdesk has been getting since this rolled out, people get errors saying they can’t approve a request because someone put today’s date in the end date thinking its some sort of effective date request.

image1314×1064 62.6 KB

Hey @jennifer_mitchell , It is good to have an email notification sent out to the benificiary a week before so that they can go ahead and extend the duration of the access . Is this something in the pipeline in next releases ?

an email notification sent out to the benificiary a week before

This already exists. We automatically send an email to the access holder 7 days before expiration and 1 day before expiration.

(In both cases, this is assuming the access has been requested for a duration longer than that number of days. If the access was requested for 5 days, for example, only the 1 day notification would be sent. If it was requested for 4 hours, no notification would be sent.)

Can you disable this as well? Filling in that end date in the request often goes wrong for end users, because they have no idea what it is used for.