BetterCloud is committed to helping you implement a least privilege model—a security best practice—in your SaaS environment. A least privilege model delegates the minimum amount of access necessary to a specific user. It is critical to ensure that users only have access to what they actually need, since excessive privileges can increase the risk of a security incident or data breach.
The first steps in implementing the least privilege model are setting up granular access roles
and creating a policy that automatically remediates excessive super admin privileges (like we outlined in this product tip). The next step is using time-based roles. This enhancement allows IT to restrict delegated privileges to specific time intervals so that people only have elevated access when they need it.
Here are three popular use cases:
1. Delegate access temporarily when a super admin goes on vacation
Time-based roles are useful when a super admin is on vacation. They can delegate access to another team member for the set period of time that they will be away. This ensures that work won’t slow down while they are out of the office and that no one retains elevated access for longer than they need.
2. Give auditors or contractors temporary access with an expiration date
Additionally, IT can give auditors or contractors access (for example, to export audit logs or download files from their CRM) for a set amount of time. However, because they are external users, it’s especially important that their access expire once they’ve completed their work. Time-based roles give IT admins the ability to pre-set an expiration date for auditors or contractors.
3. Give help desk admins access only during weekday work hours
Time-based roles can also be used to set daily restrictions on what hours admins have access to elevated privileges. If you don’t want users to have access to their BetterCloud privileges after a certain time of day, you can use time-based roles to enforce this policy. This limits access for help desk admins who should not be logging in outside typical work hours. For example, it can help prevent privileged access abuse, unsanctioned changes made over the weekend, etc.
Creating time-based roles in BetterCloud is simple. Once you select “New” in the “Privileges” tab, you are able to configure the role to your liking. You can schedule the access expiration date or set daily custom restrictions, depending on your business requirements.
For more information on this use case, check out this article in our Help Center.