A new feature that recently came into public preview is known as User Security Governance (USG). I would not describe it as just one feature, but rather as a set of multiple features released by Microsoft.
There is a Tech Talk about this new set of functionalities, and many have written insightful blog posts about it. In particular,
I would recommend reading the one written by Andre.
I want to talk about one of these features, called Temporary Role Management. As of today, when you assign a security role to a user, it is assigned for a lifetime unless manually removed. This is an issue in the current setup because it requires manual intervention to revoke access. Other applications/technologies already have solutions, such as PIM (on Azure) and access packages (on Azure).
With this upcoming set of features, you can assign a security role temporarily to a user. Once the specified time expires, the system will automatically revoke the access granted.
To grant temporary (time-bound) access to one or more security roles, open the request form from the following location:
System Administration >> Security >> Security Governance >> Temporary Role Management
Create a new request by clicking the "New" button.
Select the user ID for which you want to grant the security roles.
Specify the start and end date and time (this defines the duration for which the role will be allocated, after which the system will automatically remove the access).
Select the security role you want to grant access to (please note that you can limit the security role to a specific organization [legal entity]; by default, this assignment applies to all organizations).
Ensure the allocation type is set to what you desire (Merge/Replace).
- Merge – Add the temporary roles to the existing roles of the user account. After the temporary roles session is over, users retain their original roles and the added temporary roles are revoked.
- Replace – Replace the existing roles of the user account with the temporary roles. After the temporary roles session is over, users are reassigned their original roles and temporarily assigned roles are revoked.
Optionally, add a description (this is not mandatory).
Your request is ready. Change the status of your request to "Planned" (it is Draft by default).
That’s it! Your request is ready, and the system will automatically allocate the security roles you have requested. The system will also remove the granted security access automatically after the end time specified in your request.
You can view the access granted/revoked by the system in the logs.
What happens behind the scenes (necessary setup):
A batch job allocates and deallocates the security roles, and the batch job is named Temporary Role User Processing.
You need to schedule the batch job at least once for the system. I recommend setting up the job to run every minute (recurrence). The class name for the batch job is UserSecGovTemporaryRoleProcess.
If you do not want to set up the batch job manually, you can create a request and click on the "Process" button. This will open the batch setup where you can configure the recurrence and schedule.
