Access Duration
Require requestors to specify their desired access duration to ensure least privilege
Access duration defines how long access is granted to requestors. When this feature is enabled, admins require requestors to specify how long they need access, up to a maximum duration set within a self-service access flow.
By enforcing time limits, access duration reduces standing access, improves accountability, and supports just-in-time access aligned with the principle of least privilege.
When a request is submitted, the approver sees the requested duration along with other request details. Once approved, access is granted only for the specified period and is revoked when the access duration expires. If the requestor needs more time, a new access request should be submitted.
All Apono access requests, approvals, and expirations are logged and retained for at least 36 months. For longer retention needs, export this data to your organization’s storage tools.
Enable access duration
By default, access duration is disabled. We recommend enabling the following setting so access is granted only for the minimum time required to complete a task.
Follow this step to enable access duration:
On the Settings page, click the Require duration for access request toggle to on. The toggle will turn green.
Once enabled, requestors must specify a duration, up to the maximum access duration defined by the access flow. If the requested duration exceeds the limit or is invalid, an error message prompts the requestor to enter a valid duration.
Access duration best practices
Access duration should be based on the risk and sensitivity of an access flow's resources. Use the following recommendations as a starting point to define durations that meet your organization’s security and operational needs.
Typical Requested Duration reflects how long access is usually needed to complete a task. Access Duration defines the upper limit enforced by the access flow.
Development / Sandbox / Staging / QA
Quarterly
Conditional, based on role
Automatic Approval
Guidance:
Longer durations are acceptable due to lower risk, especially when tied to developer roles.
Production Systems
Up to 2 hours
4 hours
Approval of
OR
Automatic Approval
Settings:
Require MFA
Requester and grantee cannot self approve
Guidance:
Approval of: Choose an approver from a production team, such as DevOps or Infra.
Automatic Approval: Select this approval type for ongoing incidents or during on-call shifts.
Sensitive Data (PII, Financial, Customer)
Up to 1 hour
2 hours
Approval of
Settings:
Require Approver Reason
Requester and grantee cannot self approve
Guidance:
The approver should be able to authorize sensitive data access such as Security team, GRC, or manager.
Break-glass / Emergency
Up to 1 hour
2 hours
Approval of
OR
Automatic Approval
Setting:
Require MFA
Guidance:
The request should be reviewed post-incident.
Ticket ID may be required to make the request
Approval of: Choose an approver from an on-call shift or production team, such as DevOps or Infra.
Automatic Approval: Select this approval type for ongoing incidents or during on-call shifts.
After access durations are defined, Apono analyzes access requests and identifies Excessive access duration when requested durations are consistently below the configured maximum.
Through Right Sizing, Apono recommends reviewing and reducing the maximum access duration to better align with least-privilege access.
Last updated
Was this helpful?