Time-Windowed Access Policies¶
Section: Configuration | Article 57
Audience: System Administrators
Last Updated: 2026-04-08
Overview¶
Time-windowed policies let you control when users can request access. By default, access can be requested at any time (24/7). With time windows enabled, requests are only accepted during defined hours.
Use cases: - Restrict access to business hours (8 AM – 6 PM, Monday – Friday) - Allow a Saturday maintenance window in addition to business hours - Block overnight access except for emergency requests
Configuring Time Windows¶
Step 1 — Enable on the Policy¶
Navigate to Settings → Approval Policies → select the policy → enable Time Windows.
| Field | Description | Default |
|---|---|---|
| Time Windows Enabled | Whether time restrictions are active | Disabled (24/7) |
| Timezone | IANA timezone for evaluating windows | UTC |
| Out-of-Window Behaviour | What happens when a request is submitted outside all windows | Block |
Step 2 — Add Time Windows¶
Each policy can have multiple time windows. Click Add Window for each:
| Field | Description | Example |
|---|---|---|
| Window Name | Human-readable label | "Business Hours" |
| Day of Week | Which day (or "Every Day") | Monday – Friday |
| Start Time | Window opens at (24-hour format) | 08:00 |
| End Time | Window closes at (24-hour format) | 18:00 |
Example — Business hours plus Saturday maintenance:
| Window | Day | Start | End |
|---|---|---|---|
| Business Hours | Mon – Fri | 08:00 | 18:00 |
| Saturday Maintenance | Saturday | 09:00 | 13:00 |
Step 3 — Set the Timezone¶
The timezone determines what "08:00" means. Set it to your organisation's local timezone so business hours align with your workday.
| Setting | Example |
|---|---|
America/New_York |
08:00 = 8 AM Eastern |
Europe/London |
08:00 = 8 AM GMT/BST |
Asia/Tokyo |
08:00 = 8 AM JST |
UTC |
08:00 = 8 AM UTC |
Out-of-Window Behaviour¶
When a user submits a request outside all time windows, RP-PAM responds based on the policy setting:
| Behaviour | What Happens |
|---|---|
| Block (default) | Request is rejected: "Access requests for this resource are only available during [window name] ([next opening time])." |
| Escalate | Request is accepted but automatically routed to a higher approval tier instead of following the normal approval chain. Cannot be auto-approved. |
Grant Duration Capping¶
When a user requests access, the maximum allowed duration is capped to the remaining time in the current window.
Example: - Business hours end at 18:00 - User requests access at 16:30 for 4 hours - RP-PAM issues a 1.5-hour grant (until 18:00) and informs the user:
"Requested 4 hours, but the current access window closes in 1 hour 30 minutes. Grant issued for 1 hour 30 minutes."
Active Grant Enforcement¶
If an active grant's time window closes before the grant's expiry:
| Time | Action |
|---|---|
| 30 minutes before window close | Notification: "Access window closes in 30 minutes" |
| 15 minutes before window close | Notification: "Request an extension?" |
| 5 minutes before window close | Final warning: "Save your work" |
| At window close | Grant revoked, active sessions terminated |
The earlier of grant expiry or window close is always enforced.
Emergency Override¶
Users with the Emergency Requestor role can bypass time windows entirely. When they submit a request outside a window:
- The request is accepted normally
- It is logged as "out-of-window emergency request" in the audit trail
- The approver sees a prominent badge: "Submitted outside access window"
- No auto-approval — emergency out-of-window requests always require human approval
Extensions During Out-of-Window Hours¶
If a user's grant is about to expire and they request an extension that would extend into out-of-window hours:
- The extension request is accepted
- It always requires human approval (cannot be auto-approved)
- It is logged as "out-of-window extension" in the audit trail with the approver's identity
- The approver sees: "This extension extends access beyond the configured time window"
Troubleshooting¶
| Problem | Cause | Solution |
|---|---|---|
| Request blocked but it's within business hours | Timezone mismatch | Verify the policy timezone matches your location |
| Grant expires before window closes | Grant duration set shorter than remaining window time | The shorter of the two always applies |
| "No time windows configured" warning | Time windows enabled but no windows added | Add at least one time window to the policy |
| Emergency override not working | User does not have EmergencyRequestor role | Assign the role in user management |
Next Steps¶
- Approval Workflows — How requests are approved
- Grant Expiry and Extensions — Notification and extension flow
- Configuration Reference — Full policy field reference
RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.