Workflow Time Expiration
When an action is requested, the user making the request (the requester) has to define either how much time they need with the action (a time period) or when in the future they would like this action to become available (a time range).
But what happens to this approved action once this time expires?
A number of things may happen depending on how PAM is configured, so let’s begin with the action itself.
When the requested time expires for any action, the action returns back to the Request state and the user must request access again.
That means the action will no longer be accessible to this user and the entire approval process begins again.
For example, if the requested action is to the Unlock button of a record, the Unlock button will return back to its default Request Unlock state when time expires and this user will no longer be able to reveal the secured password, secret or file.
Instead they will need to open a new Request Access workflow.
Another scenario that may occur is what happens when the time expires during an active remote session? And the answer to this question is, it depends on how PAM is configured by the System Administrator(s).
By default, if the requested time expires during an active session (the request action in this scenario is on a record’s Connect option), then that active session will automatically Terminate.
The session will close and the user will not be permitted to Connect again because the connect option will revert back to its default Request Connect state.
So if the user needs additional time with this remote host, then they will request again with a new time period or range and once approved, the Connect option will return.
Active sessions that will automatically terminate will display the remaining time until termination in the session’s title bar.
The other option would be for System Administrators to configure the session to allow active sessions to Continue.
What this ultimately does is ensure that any sessions that are active when the requested time expires remain active so that the user’s can continue working with the remote host.
Once the user completes their own session, then they will not be able to open a new session because the connect option will return to its default Request Connect state.
This leaves the session in an “open ended” state as it only requires the user to start the session during the requested time, not complete it.
It should be noted that System Administrators also have the option to define an Idle Timeout period that is used for all remote sessions.
This will terminate any active sessions that remain idle for longer than the defined time limit.
In conjunction with the open-ended approved sessions, the idle time limit prevents a user from leaving an approved session open for much longer (overnight or over the weekend) than what was originally intended.
If you are a System Administrator, both the Session Idle Timeout and the Session Request Enforcement options are located in Administration > Settings > Parameters.
In summary,
- When the requested time expires for an action, the action returns back to its default Request state and the user must request access again.
- When the requested time expires during an active remote session, the session will either Continue until the user completes it themselves or it will automatically Terminate (remaining time is displayed in the Session Title Bar) depending on the System configuration. Regardless, the Connect option will return to its Request state and the user must request access again to open a new remote session.
Continue means the user must start but not complete the session during the requested time.
Terminate means the user must start and complete the session during the requested time.
