Privileged Access Management: PAM roles with time span and future requests (Part 2)

Yesterday I wrote a blog post on how to setup PAM role with approvals in Privileged Access Management of Microsoft Identity Manager 2016.

Here is part 2 where I will be covering the following features:

  • PAM role with time span limits (e.g. 08:00 to 17:00)
  • PAM role with a specific request time (requests in future)

First make sure that the server running PAM components and the MIM service/portal have the correct time zone setting. You can check that in MIM portal under: Administration -> Portal Configuration -> Timezone


Currently the time restrictions are only working on time values not dates, so you cannot exclude weekend days for example. Only restrictions like 8:00 to 17:00 (or 8:00 am to 5:00 pm) are possible.

The supported way to set a time span rule on a PAM role is through PowerShell:

Import-Module MIMPAM
$pamrole = Get-PAMRole "SQLAdmins"
Set-PAMRole -Role $pamrole -AvailabilityWindowEnabled $true -AvailableFrom "08:00" -AvailableTo "17:00"

After setting up this configuration it looks in PAM Sample Portal like this:



If you are trying to request that role outside this business hours you will get an error message:



There is also an error entry in the event log:



You can also view and edit PAM role through the MIM Portal, however in to be supported you should manage PAM roles via PowerShell as you may facing issues when editing values in portal. But changing the time span values on PAM role works without any issues in my test lab.


Even there is the month, day, year in that attribute, these values are not evaluated, online the time is relevant when checking the requests. You can test this by entering a date in the past and will see you still can request the role. Hope that will be extened in future to also allow enable/disable specific days of week.


Last but not least you can also request PAM roles for future use, simply select a specific date in future when requesting a role. The request will be hold in PAM and active the role to the given date and time:


If PAM role with request in future will have approvals enabled, the approval workflow is triggered directly, but the PAM role will become active at the time you requested. I could imagine a scenario where a approver is not available at the time when a requestor needs the role so he can approve the role for using tomorrow for example.


Author: Peter Stapf

Senior Consultant Identity and Access

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.