# Access Duration

**Access duration** defines how long access is granted to requestors. When this feature is enabled, admins require requestors to specify how long they need access, up to a maximum duration set within a [self-service access flow](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows).

By enforcing time limits, access duration reduces standing access, improves accountability, and supports just-in-time access aligned with the principle of least privilege.

When a request is submitted, the approver sees the requested duration along with other request details. Once approved, access is granted only for the specified period and is revoked when the access duration expires. If the requestor needs more time, a new access request should be submitted unless [extended access](https://docs.apono.io/docs/access-flows/self-serve-access-flows#enable-iga-settings) has been enabled for the access flow.

{% hint style="info" %}
All Apono access requests, approvals, and expirations are logged and retained for at least **36 months**. For longer retention needs, export this data to your organization’s storage tools.
{% endhint %}

***

### Enable access duration

By default, access duration is disabled. We recommend enabling the following setting so access is granted only for the minimum time required to complete a task.

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-182cbd824cd831324d7b7c4a9d356370a4f0ecb6%2Faccess-duration-enablement.png?alt=media" alt="" width="357"><figcaption><p>Require duration for access request toggle</p></figcaption></figure>

Follow this step to enable access duration:

1. On the [**Settings**](https://app.apono.io/settings) page, click the **Require duration for access request** toggle to on. The toggle will turn green.

Once enabled, requestors must specify a duration, up to the [maximum access duration](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows#set-the-duration-of-access) defined by the access flow. If the requested duration exceeds the limit or is invalid, an error message prompts the requestor to enter a valid duration.

***

### Access duration best practices

Access duration should be based on the risk and sensitivity of an access flow's resources. Use the following recommendations as a starting point to define durations that meet your organization’s security and operational needs.

**Typical Requested Duration** reflects how long access is usually needed to complete a task. **Access Duration** defines the upper limit enforced by the access flow.

<table><thead><tr><th width="150.4375">Use Case</th><th width="109.15234375">Typical Requested Duration</th><th width="108.6328125">Access Duration</th><th width="108.82421875">Approval Type (UI)</th><th>Settings (UI) &#x26; Guidance</th></tr></thead><tbody><tr><td><strong>Development / Sandbox / Staging / QA</strong></td><td>Quarterly</td><td>Conditional, based on role</td><td><strong>Automatic Approval</strong></td><td><p><strong>Guidance</strong>:</p><p>Longer durations are acceptable due to lower risk, especially when tied to developer roles.</p><p><br></p></td></tr><tr><td><strong>Production Systems</strong></td><td>Up to 2 hours</td><td>4 hours</td><td><p><strong>Approval of</strong></p><p>OR</p><p><strong>Automatic Approval</strong></p></td><td><p><strong>Settings</strong>:</p><ul><li><strong>Require MFA</strong></li><li><strong>Requester and grantee cannot self approve</strong></li></ul><p><strong>Guidance</strong>:</p><ul><li><strong>Approval of</strong>: Choose an approver from a production team, such as DevOps or Infra.</li><li><strong>Automatic Approval</strong>: Select this approval type for ongoing incidents or during on-call shifts.</li></ul></td></tr><tr><td><strong>Sensitive Data (PII, Financial, Customer)</strong></td><td>Up to 1 hour</td><td>2 hours</td><td><strong>Approval of</strong></td><td><p><strong>Settings</strong>:</p><ul><li><strong>Require Approver Reason</strong></li><li><strong>Requester and grantee cannot self approve</strong></li></ul><p><strong>Guidance</strong>:</p><p>The approver should be able to authorize sensitive data access such as Security team, GRC, or manager.</p></td></tr><tr><td><strong>Break-glass / Emergency</strong></td><td>Up to 1 hour</td><td>2 hours</td><td><p><strong>Approval of</strong></p><p>OR</p><p><strong>Automatic Approval</strong></p></td><td><p><strong>Setting</strong>:</p><ul><li><strong>Require MFA</strong></li></ul><p><br><strong>Guidance</strong>:</p><ul><li>The request should be reviewed post-incident.</li><li>Ticket ID may be required to make the request</li><li><strong>Approval of</strong>: Choose an approver from an on-call shift or production team, such as DevOps or Infra.</li><li><strong>Automatic Approval</strong>: Select this approval type for ongoing incidents or during on-call shifts.</li></ul></td></tr></tbody></table>

{% hint style="success" %}
After access durations are defined, Apono analyzes access requests and identifies **Excessive access duration** when requested durations are consistently below the configured maximum.

Through [Right Sizing](https://docs.apono.io/docs/access-flows/manage-access-flows/right-sizing), Apono recommends reviewing and reducing the maximum access duration to better align with least-privilege access.
{% endhint %}