This document provides information about Time-Bound Access Control in the Integration with ITSM feature. It describes how Segura® restricts privileged access to the time window defined in the ITSM ticket. For general ITSM integration setup, see Settings > Integration with ITSM.
Segura® enforces time-bound privileged access scoped directly to the allowable window defined in the ITSM ticket. When an access request references an ITSM ticket, the platform reads the ticket's scheduled start and end fields and restricts the privileged session or credential checkout to that exact window.
This capability applies to all supported ITSM integrations: ServiceNow, Jira Service Management, BMC Helix/Remedy, Cherwell, Freshservice, and Generic REST/Webhook.
How it works
When a user requests privileged access referencing an ITSM ticket, Segura® performs the following validations:
-
Ticket status check: the ticket must be in an approved or in-progress state.
-
Time window validation: the current time must fall within the ticket's scheduled start and end window.
-
Continuous revalidation: Segura® polls the ITSM ticket status throughout the session. Any status change (cancellation, resolution, hold) triggers immediate access revocation.
-
Automatic session termination: when the ticket's end time is reached, the active session is automatically interrupted regardless of session state.
-
Audit correlation: all session activity is logged with the ticket ID, time window, and ticket status at each access event.
Behavior per platform
| Platform | Start/End Field Read | Status Field Validated | Real-Time Revalidation |
|---|---|---|---|
| ServiceNow | scheduled_start / scheduled_end | state = In Progress | Yes — polling via /api/now/table/ |
| Jira Service Management | Custom field: planned_start / planned_end | Status = In Progress | Yes |
| BMC Helix / Remedy | Scheduled Start Date / Scheduled End Date | Status = In Progress / Assigned | Yes |
| Cherwell | Scheduled Start / Scheduled End | Status = In Progress | Yes |
| Freshservice | planned_start_date / planned_end_date | Status = In Progress | Yes |
| Generic REST / Webhook | Configurable field mapping | Configurable status mapping | Yes — configurable polling interval |
Pre-window blocking
Access attempts made before the ticket's scheduled start time are denied even if the ticket status is approved. The user receives the following message:
The referenced ITSM ticket has not reached its scheduled start time. Access will be available from [scheduled_start]. Please try again after that time.
Post-window session termination
When the ticket's end time is reached, Segura® terminates the active session automatically. The termination flow is:
- Warning notification: the user receives an in-session alert [configurable: 5, 10, or 15 minutes before end time].
- Grace period: an optional grace period (configurable: 0–15 minutes) allows the user to wrap up the session safely.
- Forced termination: the session is closed and the credential is checked back in automatically.
- Audit record: the termination event is logged with timestamp, ticket ID, and termination reason.
Unsaved work within the remote session will be lost upon forced termination. Users should save their work before the grace period expires.
Real-time ticket revalidation
Segura® continuously polls the ITSM ticket status during an active session. If the ticket status changes to any non-active state, access is revoked immediately:
| Ticket Event | Segura Response | User Notification |
|---|---|---|
| Ticket cancelled | Session terminated immediately | Yes — reason: ticket cancelled |
| Ticket resolved / closed | Session terminated immediately | Yes — reason: ticket closed |
| Ticket placed on hold | Session paused, access suspended | Yes — reason: ticket on hold |
| Ticket reopened / resumed | Access restored automatically | Yes — session can resume |
| Ticket end time reached | Session terminated after grace period | Yes — warning before termination |
Polling interval is configurable per integration (default: 60 seconds). For environments requiring near real-time enforcement, webhook-based notification can be enabled to trigger immediate revalidation on ticket status changes.
Configuration
Time-bound access control is configured per ITSM integration. To enable it:
- Navigate to Settings > System Parameters > Integration with ITSM.
- Select the ITSM platform to configure.
- Enable the option: Enforce time window from ticket fields.
- Map the start and end fields from the ITSM ticket to Segura's time window parameters.
- Configure the warning notification time (default: 10 minutes before end).
- Configure the grace period (default: 5 minutes; set to 0 for immediate termination).
- Set the polling interval for real-time revalidation (default: 60 seconds).
- Save and test the integration using a test ticket.
Field mapping reference
Field mapping reference
The following table shows the default field mapping for each supported platform. Fields can be remapped under the integration configuration if your ITSM instance uses custom field names.
| Platform | Start Field | End Field | Status Field | Approved Status Value |
|---|---|---|---|---|
| ServiceNow | scheduled_start | scheduled_end | state | 2 (In Progress) |
| Jira Service Management | customfield_planned_start | customfield_planned_end | status.name | In Progress |
| BMC Helix / Remedy | Scheduled Start Date | Scheduled End Date | Status | In Progress / Assigned |
| Cherwell | ScheduledStart | ScheduledEnd | Status | In Progress |
| Freshservice | planned_start_date | planned_end_date | status | 2 (In Progress) |
| Generic REST | Configurable | Configurable | Configurable | Configurable |
Audit and compliance
All time-bound access events are immutably logged and exportable for compliance. Each audit record includes:
-
Ticket ID and ITSM platform
-
Scheduled start and end time from the ticket
-
Actual session start and end time
-
Ticket status at session start, during session (each poll), and at session end
-
Termination reason: natural end, forced termination, ticket cancelled, ticket closed, or manual termination
-
User, credential, device, and session recording reference
Reports are available under: Reports > Privileged Sessions > Sessions by ITSM Ticket.
Time-bound access correlated to ITSM tickets supports change management audit requirements under SOX, ISO 27001, and ITIL frameworks. Auditors can verify that privileged access occurred only within the approved change window.
Use cases
Change window enforcement
A change ticket in ServiceNow is approved for Saturday 22:00–02:00. A sysadmin attempts to access the production database server. Segura® permits the session only between 22:00 and 02:00. At 02:00, the session is terminated automatically and the credential is checked back in.
Emergency access with time scope
A P1 incident ticket is raised in Jira Service Management with a planned_end of 4 hours from now. The on-call engineer accesses the affected system. If the ticket is resolved in 2 hours and the status changes to Resolved, Segura® terminates the session immediately — even though the 4-hour window has not yet expired.
Third-party vendor access
A vendor is granted access via a Freshservice ticket with a 2-hour maintenance window. The vendor's session is automatically terminated at the end of the window. If the vendor attempts to reconnect outside the window, access is denied and the attempt is logged.
Generic REST integration
An organization uses a proprietary ITSM tool exposing a REST API. Using the Generic REST integration, the administrator maps the custom fields for start time, end time, and status. Segura® enforces time-bound access using the same engine as the native integrations.