Create a recurring access policy

This topic describes how to create a recurring access policy to provide secure, just-in-time access to your organizational assets.

Overview

You can create a single recurring access policy that covers all the assets comprising a business application or project. This policy can contain separate access rules for each persona that needs to access these assets on a regular basis.

Create a recurring access policy

There are several steps to defining a recurring access policy. Where applicable, you can leave default values to create the broadest policy definition. This may be useful, for example, for testing environments where you need a test policy during account configuration.

To create a recurring access policy:
  1. On the Recurring access policies page, click Create a policy.

  2. Complete the steps described below.

You can save your DPA policy at any point in the configuration process by clicking Save as draft. If the policy is complete and you're ready to activate it, click Activate. After you save the policy, it appears on the Recurring access policies page.

Step 1: Details

To define the general details for the policy, configure the parameters as shown in the following table.

Policy general details

Parameter

Description

Mandatory

Policy name

A unique name for this policy. CyberArk recommends using a simple naming convention such as <application/project> <environment>. For example, "my-app production".

Yes

Description

Short description of the recurring access policy.

No

Time frame

Leave the default value of Always, or select Date range and configure this option if you want the policy to apply for a specific date range.

When a time frame is defined for a policy, users won't have any access to the assets associated with the policy after the time frame expires (unless they are included in another policy that was defined for these targets). Best practice is to use this option only for time-limited projects.

N/A

Step 2: Assets

To define the criteria for the assets that are included in this policy:

  1. Click Add for the relevant platform.

  2. Define the criteria for the assets that should be included:

  3. When you are finished defining the criteria, click Apply.

Step 3: Access rules

An access rule specifies the access profile, which members can assume it, and when users are allowed to access the assets.

Access rule characteristics

Characteristic

Description

Profile

  • For Linux targets, the local user profile that the role or group member assumes to connect to the target.

  • For Windows targets, the groups that provide the necessary permissions to connect to the target.

Members

Users, roles, and user groups that are allowed to assume the access profile when connecting to the targets.

Access window

Days and times that members are allowed to connect to the targets.

If there are multiple rules that potentially apply when a user tries to connect to a Linux target, and there are multiple user profiles, DPA prompts the user to select which profile to use. In other cases, DPA applies the rule that best matches according to the following priorities:

  1. Maximum effective session length (the actual amount of time the session can be active)

  2. Maximum configured session length

  3. Maximum idle time length

To create an access rule:

Each recurring access policy can have multiple access rules so you can define one for each persona that requires access to the business application or project.

  1. Click Create an access rule to define a new rule for the DPA policy.

    It's helpful to name access rules based on the access profile you are creating, for example "Admin-level" or "Developer".

  2. Type the name of the access rule you're creating.

  3. In Profile, assign the user profile that users will assume when they connect to the targets:

  4. In Members, click Add members. Use the search to discover and select the available members (users, user groups, and roles) that you want to allow to assume the profile you defined in step 3.

    • You can see users and user groups from your directory service, and users and roles defined in the CyberArk Identity portal.

    • If you haven't connected Active Directory you won't get results when you search for groups.

  5. In Access window, configure the time period when this user profile is allowed to access the assets defined in the policy.

    Access window parameters

    Parameter

    Description

    Mandatory

    Time zone

    Select the time zone for the region from the dropdown list.

    The region is the location where your end users are located (from where the client machines will try to connect to the targets).

    Yes

    Select the days

    Leave the default setting of all days selected, or specify the days of the week that you want to allow access.

    Yes

    Select the time frame

    Leave the default value of All day, or select Specific time and define the time of day you want to allow access.

    When the access window is limited to a specific time frame, users can only connect to their targets during the specified time regardless of the maximum session length. For example, if the access window is from 9 AM to 11 AM and a user connects to a target at 10 AM, the session will close after an hour even if you defined the maximum session length as 2 hours.

     

    Define the session settings

    You can leave the default values or customize them.

    Maximum session length - the session is automatically closed and disconnected when the session expires.

    • Unit: hours

    • Default value: 2

    • Allowed values: 1 to 24

    Maximum idle time before the session ends - the session is automatically closed and disconnected if there is no user activity for the defined amount of time. This parameter is optional; to disable it, clear the check box.

    • Unit: minutes

    • Default value: 10

    • Allowed values: 1 to 120

     

  6. Click Create to add the new rule to your DPA policy. You can view the rule details in the policy window.

Step 4: Verify connectivity

After you complete the configuration process, you can verify that you added the workspace successfully by creating a recurring access policy and trying to connect as an end user to a protected asset.

For more details, see Connect to a Windows target or Connect to a Linux target.