> For the complete documentation index, see [llms.txt](https://docs.apono.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/access-duration.md).

# Access Duration

**Access duration** is the period of time that a user is able to use a resource before Apono automatically revokes access.

Access duration depends on two settings.

<table><thead><tr><th width="247.05990600585938">Setting</th><th>Description</th></tr></thead><tbody><tr><td><strong>Granting period</strong></td><td><p>Maximum amount of time access can be granted for a resource, defined when <a href="/pages/sVn2oYvXxhOI9ZIEDDvo#set-access-duration-and-approval-process">creating a self serve access flow</a></p><p>A granting period is specific to an access flow and required for every self serve access flow.</p></td></tr><tr><td><strong>Require duration for access request</strong></td><td><p><a href="#enable-require-duration-for-access-request">Account-level setting</a> that requires requestors to specify how long they need access when submitting an access request</p><p>The requested duration cannot exceed the granting period.</p><p>If this setting is not enabled, approved access uses the full granting period defined in the access flow.</p></td></tr></tbody></table>

{% hint style="info" %}
The granting period is not always the exact amount of time a requestor receives. When requestors are required to specify a duration, they can request less time than the granting period. The granting period is the **maximum available** time for the request.
{% endhint %}

When a request is submitted, the approver sees the requested duration along with other request details. Once a request is approved, access is granted only for the specified period and is revoked when the approved access period ends.

If the requestor needs more time, a new access request should be submitted unless [extended access](/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows.md#allow-extend-duration) has been enabled for the access flow.

By enforcing time limits, access duration provides the following benefits:

* Reduced standing access
* Improved accountability
* Support for just-in-time access aligned with the principle of least privilege.

{% hint style="info" %}
All Apono access requests, approvals, and expirations are logged and retained for at least **36 months**. For longer retention needs, export this data to your organization’s storage tools.
{% endhint %}

***

### Granting period best practices

A granting period is defined when [creating a self serve access flow](/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows.md#set-access-duration-and-approval-process) and should be based on the risk and sensitivity of an access flow's resources.

Use the recommendations in the table below as a starting point to define granting periods that meet your organization’s security and operational needs.

The **Typical Requested Duration** column reflects how long access is usually needed to complete a task.The **Granting Period** column defines the upper limit configured in the self serve access flow.

<table><thead><tr><th width="150.4375">Use Case</th><th width="109.15234375">Typical Requested Duration</th><th width="108.6328125">Granting Period</th><th width="108.82421875">Approval Type (UI)</th><th>Settings (UI) &#x26; Guidance</th></tr></thead><tbody><tr><td><strong>Development / Sandbox / Staging / QA</strong></td><td>Quarterly</td><td><p>No fixed recommendation</p><p>Based on role and environment risk</p><p><br></p></td><td><strong>Automatic Approval</strong></td><td><p><strong>Guidance</strong>:</p><p>Longer durations are acceptable due to lower risk, especially when tied to developer roles.</p><p><br></p></td></tr><tr><td><strong>Production Systems</strong></td><td>Up to 2 hours</td><td>4 hours</td><td><p><strong>Approval of</strong></p><p>OR</p><p><strong>Automatic Approval</strong></p></td><td><p><strong>Settings</strong>:</p><ul><li><strong>Require MFA</strong></li><li><strong>Requester and grantee cannot self approve</strong></li></ul><p><strong>Guidance</strong>:</p><ul><li><strong>Approval of</strong>: Choose an approver from a production team, such as DevOps or Infra.</li><li><strong>Automatic Approval</strong>: Select this approval type for ongoing incidents or during on-call shifts.</li></ul></td></tr><tr><td><strong>Sensitive Data (PII, Financial, Customer)</strong></td><td>Up to 1 hour</td><td>2 hours</td><td><strong>Approval of</strong></td><td><p><strong>Settings</strong>:</p><ul><li><strong>Require Approver Reason</strong></li><li><strong>Requester and grantee cannot self approve</strong></li></ul><p><strong>Guidance</strong>:</p><p>The approver should be able to authorize sensitive data access such as Security team, GRC, or manager.</p></td></tr><tr><td><strong>Break-glass / Emergency</strong></td><td>Up to 1 hour</td><td>2 hours</td><td><p><strong>Approval of</strong></p><p>OR</p><p><strong>Automatic Approval</strong></p></td><td><p><strong>Setting</strong>:</p><ul><li><strong>Require MFA</strong></li></ul><p><br><strong>Guidance</strong>:</p><ul><li>The request should be reviewed post-incident.</li><li>Ticket ID may be required to make the request</li><li><strong>Approval of</strong>: Choose an approver from an on-call shift or production team, such as DevOps or Infra.</li><li><strong>Automatic Approval</strong>: Select this approval type for ongoing incidents or during on-call shifts.</li></ul></td></tr></tbody></table>

{% hint style="success" %}
After granting periods are defined, Apono analyzes access requests and identifies **Excessive access duration** when requested durations are consistently below the configured maximum.

Through [Right Sizing](/docs/access-flows/manage-access-flows/right-sizing.md), Apono recommends reviewing and reducing granting periods to better align with least-privilege access.
{% endhint %}

***

### Enable Require duration for access request

By default, the **Require duration for access request** is disabled. We recommend enabling this setting to help limit approved access to the time requestors need to complete a task.

<figure><img src="/files/ZihZ3ma25gTW1uTnMogM" alt="" width="357"><figcaption><p>Require duration for access request toggle</p></figcaption></figure>

Follow this step to require requestors to specify a duration:

1. On the [**Settings**](https://app.apono.io/settings) page, click the **Require duration for access request** toggle to on. The toggle will turn green.

Once enabled, requestors must specify a duration a duration that **does not exceed** the [granting period](/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows.md#set-access-duration-and-approval-process) defined by the access flow. If the requested duration exceeds the granting period or is invalid, an error message prompts the requestor to enter a valid duration.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/access-duration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.