You can assign restricted access times to user groups to control when members of a user group can access a restricted agent.
For example, suppose you want to limit access for users in Boston. You can add the Boston users to a group and restrict access times from 8:00 a.m. to 5:00 p.m. Authentication Manager provides Access Time templates that reflect typical times you may want to restrict access to agents. In this example, you can use the “8am - 5pm Weekdays” template instead of configuring these times manually.
Be aware of the following behaviors and limitations:
All times are relative to the time zone that you select when you configure restricted access times.
Authentication Manager does not support fractional time zones. Use an available time zone closest to the desired fractional time zone.
Authentication Manager does automatically adjust for Daylight Saving Time changes.
Restricted access times are relative to the time zone of the primary instance. If users are in different geographic locations, you must account for the time differences. To accommodate the time differences, you can configure group membership and access time restrictions in two ways:
Configure two or more user groups based on geographic location and set a different access time for each group. You must compensate for the time difference between the primary instance and the location of the users by configuring different restricted access times for each group. RSA recommends this method because it offers more administrative control over access times and over a user’s ability to access the restricted agent.
For example, you can create a user group for Boston and a user group for London, each with a different restricted access time. On the primary instance in Boston, you restrict the Boston group from 8:00 a.m. to 5:00 p.m., and restrict the London group from 3:00 a.m. to 12:00 p.m. (which is 8:00 a.m. to 5:00 p.m. in London).
Alternatively, you can select the local time zone when configuring restricted access times. In the previous example, you could specify the local time zone for each user group before configuring the restricted access times.
Configure a single user group for users in multiple geographic locations and set the same access time for both groups. Make sure that the restricted access times include the entire work day for all members of the user group.
For example, a user group that contains users in Boston and London might require a restricted access time from 3:00 am to 5:00 p.m. Eastern Standard Time.
When a user is a member of multiple user groups, more than one group can be granted access to the same restricted agent. The time restrictions of the groups are combined, which can expand the time that a user is allowed to access the agent.
For example, suppose that a user is a member of Marketing and Sales. Both groups have access to the same restricted agent. If the restricted access time for the members of Marketing is from 8:00 a.m. to 5:00 p.m. and the restricted access time for members of Sales is from 9:00 a.m. to 7:00 p.m., the user can access the agent from 8:00 a.m. to 7:00 p.m.
In general, user groups nested in a parent group share the same restricted access times with the parent user group. However, when both the parent and the nested user groups are granted access to the same agent, time restrictions are combined in the same way that times are combined for users in multiple user groups.
For example, suppose that a user is a member of Marketing and Sales. Marketing is nested within Sales, and both groups have access to the same restricted agent. If the restricted access time for members of Marketing is from 8:00 a.m. to 5:00 p.m. and the restricted access time for members of Sales is from 9:00 a.m. to 7:00 p.m., a member of Marketing can access the restricted agent from 8:00 a.m. to 7:00 p.m.