Documentation Index

Fetch the complete documentation index at: https://docs.senhasegura.io/llms.txt

Use this file to discover all available pages before exploring further.

About TimeBound Access Control

Prev Next

This document provides information about Time-Bound Access Control in the Integration with ITSM feature. It describes how Segura® restricts privileged access to the time window defined in the ITSM ticket. For general ITSM integration setup, see Settings > Integration with ITSM.

Segura® enforces time-bound privileged access scoped directly to the allowable window defined in the ITSM ticket. When an access request references an ITSM ticket, the platform reads the ticket's scheduled start and end fields and restricts the privileged session or credential checkout to that exact window.

This capability applies to all supported ITSM integrations: ServiceNow, Jira Service Management, BMC Helix/Remedy, Cherwell, Freshservice, and Generic REST/Webhook.

How it works

When a user requests privileged access referencing an ITSM ticket, Segura® performs the following validations:

  1. Ticket status check: the ticket must be in an approved or in-progress state.

  2. Time window validation: the current time must fall within the ticket's scheduled start and end window.

  3. Continuous revalidation: Segura® polls the ITSM ticket status throughout the session. Any status change (cancellation, resolution, hold) triggers immediate access revocation.

  4. Automatic session termination: when the ticket's end time is reached, the active session is automatically interrupted regardless of session state.

  5. Audit correlation: all session activity is logged with the ticket ID, time window, and ticket status at each access event.

Behavior per platform

Platform Start/End Field Read Status Field Validated Real-Time Revalidation
ServiceNow scheduled_start / scheduled_end state = In Progress Yes — polling via /api/now/table/
Jira Service Management Custom field: planned_start / planned_end Status = In Progress Yes
BMC Helix / Remedy Scheduled Start Date / Scheduled End Date Status = In Progress / Assigned Yes
Cherwell Scheduled Start / Scheduled End Status = In Progress Yes
Freshservice planned_start_date / planned_end_date Status = In Progress Yes
Generic REST / Webhook Configurable field mapping Configurable status mapping Yes — configurable polling interval

Pre-window blocking

Access attempts made before the ticket's scheduled start time are denied even if the ticket status is approved. The user receives the following message:

Access denied

The referenced ITSM ticket has not reached its scheduled start time. Access will be available from [scheduled_start]. Please try again after that time.

Post-window session termination

When the ticket's end time is reached, Segura® terminates the active session automatically. The termination flow is:

  1. Warning notification: the user receives an in-session alert [configurable: 5, 10, or 15 minutes before end time].
  2. Grace period: an optional grace period (configurable: 0–15 minutes) allows the user to wrap up the session safely.
  3. Forced termination: the session is closed and the credential is checked back in automatically.
  4. Audit record: the termination event is logged with timestamp, ticket ID, and termination reason.
Attention

Unsaved work within the remote session will be lost upon forced termination. Users should save their work before the grace period expires.

Real-time ticket revalidation

Segura® continuously polls the ITSM ticket status during an active session. If the ticket status changes to any non-active state, access is revoked immediately:

Ticket Event Segura Response User Notification
Ticket cancelled Session terminated immediately Yes — reason: ticket cancelled
Ticket resolved / closed Session terminated immediately Yes — reason: ticket closed
Ticket placed on hold Session paused, access suspended Yes — reason: ticket on hold
Ticket reopened / resumed Access restored automatically Yes — session can resume
Ticket end time reached Session terminated after grace period Yes — warning before termination
Info

Polling interval is configurable per integration (default: 60 seconds). For environments requiring near real-time enforcement, webhook-based notification can be enabled to trigger immediate revalidation on ticket status changes.

Configuration

Time-bound access control is configured per ITSM integration. To enable it:

  1. Navigate to Settings > System Parameters > Integration with ITSM.
  2. Select the ITSM platform to configure.
  3. Enable the option: Enforce time window from ticket fields.
  4. Map the start and end fields from the ITSM ticket to Segura's time window parameters.
  5. Configure the warning notification time (default: 10 minutes before end).
  6. Configure the grace period (default: 5 minutes; set to 0 for immediate termination).
  7. Set the polling interval for real-time revalidation (default: 60 seconds).
  8. Save and test the integration using a test ticket.

Field mapping reference

Field mapping reference

The following table shows the default field mapping for each supported platform. Fields can be remapped under the integration configuration if your ITSM instance uses custom field names.

Platform Start Field End Field Status Field Approved Status Value
ServiceNow scheduled_start scheduled_end state 2 (In Progress)
Jira Service Management customfield_planned_start customfield_planned_end status.name In Progress
BMC Helix / Remedy Scheduled Start Date Scheduled End Date Status In Progress / Assigned
Cherwell ScheduledStart ScheduledEnd Status In Progress
Freshservice planned_start_date planned_end_date status 2 (In Progress)
Generic REST Configurable Configurable Configurable Configurable

Audit and compliance

All time-bound access events are immutably logged and exportable for compliance. Each audit record includes:

  • Ticket ID and ITSM platform

  • Scheduled start and end time from the ticket

  • Actual session start and end time

  • Ticket status at session start, during session (each poll), and at session end

  • Termination reason: natural end, forced termination, ticket cancelled, ticket closed, or manual termination

  • User, credential, device, and session recording reference

Reports are available under: Reports > Privileged Sessions > Sessions by ITSM Ticket.

Compliance note

Time-bound access correlated to ITSM tickets supports change management audit requirements under SOX, ISO 27001, and ITIL frameworks. Auditors can verify that privileged access occurred only within the approved change window.

Use cases

Change window enforcement

A change ticket in ServiceNow is approved for Saturday 22:00–02:00. A sysadmin attempts to access the production database server. Segura® permits the session only between 22:00 and 02:00. At 02:00, the session is terminated automatically and the credential is checked back in.

Emergency access with time scope

A P1 incident ticket is raised in Jira Service Management with a planned_end of 4 hours from now. The on-call engineer accesses the affected system. If the ticket is resolved in 2 hours and the status changes to Resolved, Segura® terminates the session immediately — even though the 4-hour window has not yet expired.

Third-party vendor access

A vendor is granted access via a Freshservice ticket with a 2-hour maintenance window. The vendor's session is automatically terminated at the end of the window. If the vendor attempts to reconnect outside the window, access is denied and the attempt is logged.

Generic REST integration

An organization uses a proprietary ITSM tool exposing a REST API. Using the Generic REST integration, the administrator maps the custom fields for start time, end time, and status. Segura® enforces time-bound access using the same engine as the native integrations.