Privileged Access Management: PAM roles with time span and future requests (Part 2)

Yesterday I wrote a blog post on how to setup PAM role with approvals in Privileged Access Management of Microsoft Identity Manager 2016.

Here is part 2 where I will be covering the following features:

  • PAM role with time span limits (e.g. 08:00 to 17:00)
  • PAM role with a specific request time (requests in future)

Note:
First make sure that the server running PAM components and the MIM service/portal have the correct time zone setting. You can check that in MIM portal under: Administration -> Portal Configuration -> Timezone

 

Currently the time restrictions are only working on time values not dates, so you cannot exclude weekend days for example. Only restrictions like 8:00 to 17:00 (or 8:00 am to 5:00 pm) are possible.

The supported way to set a time span rule on a PAM role is through PowerShell:

Import-Module MIMPAM
$pamrole = Get-PAMRole "SQLAdmins"
Set-PAMRole -Role $pamrole -AvailabilityWindowEnabled $true -AvailableFrom "08:00" -AvailableTo "17:00"

Read more of this post

%d bloggers like this: