You can assign restricted access times to user groups. Restricted access times allow you to control which days and hours members of a user group can access a restricted agent.
For example, suppose you have users in Boston who access company resources and you want to limit access to regular business hours. You can add the Boston users to a group and restrict access times from 8:00 a.m. to 5:00 p.m. To ease the burden of configuring time restrictions, Authentication Manager provides Access Time templates that reflect typical times you may want to restrict access to agents. In this example, you might choose to use the “8am - 5pm Weekdays” template for the group instead of configuring these times manually.
Be aware of the following behaviors and limitations of restricted access times:
All times are relative to the time zone that you select when you configure restricted access times.
Be aware of this behavior when applying restricted access times in a deployment containing users in geographically diverse locations.
Authentication Manager does not support fractional time zones. You must use an available time zone closest to the desired fractional time zone.
Authentication Manager does not make automatic adjustments for Daylight Saving Time changes.
Restricted Access Times for Users in Different Geographic Locations
The times that you specify for restricted access are relative to the time zone of the primary instance. If you restrict access times for users in different geographic locations, you must account for the time differences between the locations. To accommodate the time differences, you can configure group membership and access time restrictions in two ways:
Configure two or more user groups based on geographic location and set a different access time for each group. When you configure user groups according to the location of the members, you must compensate for the time difference between the primary instance and the location of the users by configuring different restricted access times for each group.
For example, if the deployment has users in Boston and London, create a user group for Boston and another for London. Specify different restricted access times for each group. On the primary instance located in Boston, you restrict the Boston group from 8:00 a.m. to 5:00 p.m., and restrict the London group from 3:00 a.m. to 12:00 p.m. (which is 8:00 a.m. to 5:00 p.m. in London).
Alternatively, you can select the local time zone when configuring restricted access times. In the previous example, you could specify the local time zone for each user group before configuring the restricted access times.
RSA recommends using this method because it offers more administrative control over access times and over a user’s ability to access the restricted agent.
Configure a single user group for users in multiple geographic locations and set the same access time for both groups. When you configure a single group that contains members from different locations, you must make sure that the restricted access times include the entire work day for all members of the user group.
For example, suppose your group contains users in Boston and London. On the primary instance located in Boston, which is set to Eastern Standard Time, you restrict the Boston access times to the hours of 8:00 a.m. to 5:00 p.m. Because users in London will only be able to access the agent from 1 p.m. to 10 p.m. London time, you must expand the access time for the group from 3:00 a.m. to 5:00 p.m. Eastern Standard Time. This allows users both in Boston and London to access the agent during the work day.
Restricted Access Times for Users in Multiple User Groups
When a user is a member of multiple user groups, more than one of the groups can be granted access to the same restricted agent. In such cases, the time restrictions of the groups are combined, which can expand the time that a user is allowed to access the agent.
For example, suppose that a user is a member of two user groups: Marketing and Sales. Both groups have access to the same restricted agent. If the restricted access time for the members of Marketing is from 8:00 a.m. to 5:00 p.m. and the restricted access time for members of Sales is from 9:00 a.m. to 7:00 p.m., the user can access the agent from 8:00 a.m. to 7:00 p.m.
Restricted Access Times for Users in Nested User Groups
In general, user groups nested in a parent group share the same restricted access times with the parent user group. However, when both the parent and the nested user groups are granted access to the same agent, time restrictions are combined in the same way that times are combined for users in multiple user groups.
For example, suppose that a user is a member of two user groups: Marketing and Sales. Marketing is nested within Sales, and both groups have access to the same restricted agent. If the restricted access time for members of Marketing is from 8:00 a.m. to 5:00 p.m. and the restricted access time for members of Sales is from 9:00 a.m. to 7:00 p.m., a member of Marketing can access the restricted agent from 8:00 a.m. to 7:00 p.m.