Session Behavior
Overview
The Secure Access Console controls access to its resources through usage of a session. A session is tied to a user and is created after the user authenticates and logs into the Secure Access Console. The session ends when it expires after a set time or the user logs out.
In addition, when a session inactivity timeout is set, the user is logged out after a set period of inactivity.
When a user is logged out of the Secure Access Console due to session expiration or inactivity timeout, they must re-authenticate to regain access to the application.
Timeout Settings
Session duration and inactivity timeout for the Secure Access Console are set to the following values:
| User Type | Session Duration | Inactivity Timeout | Description |
|---|---|---|---|
| Privileged users | 24 hours | 15 minutes | Privileged users are users granted scopes through roles that give them access to read or write sensitive data. They can access both the Secure Access Admin Console and Dashboard. |
| Non-privileged users | 24 hours | None | Non-privileged users are users with no scopes. They either have no role or have been assigned a role with no scopes. These users can only access the Secure Access Dashboard. |
Definitions:
- Session duration: Amount of time before a session expires.
- Session inactivity timeout: Amount of time the user can remain inactive before being logged out.
Session Termination Due to Administrative Changes
In addition to standard timeouts, active sessions are also terminated when a user experiences administrative changes that revoke their access privileges.
The following administrative actions result in immediate logout:
- The user is suspended.
- The user loses access to a role that grants scopes (privileged access).
This can happen under the following scenarios:
If the user was directly assigned to the role:
- The user is unassigned from the role.
- Scopes are removed from the role.
- The role is deleted.
If the user belonged to a group assigned to the role:
- The user is removed from the group.
- The group is unassigned from the role.
- The group is deleted.
- Scopes are removed from the role.
- The role is deleted.
After any of these changes, the user must re-authenticate and will only regain access if they are assigned to a role with the appropriate scopes.
Session Termination on Role Permission Changes
Sessions are automatically terminated if a user’s role permissions are downgraded or if the account is suspended. Actions that can trigger session termination include:
Removing a user, or a group the user belongs to, from a role Removing permission scopes from a role the user is assigned to directly or through a group Deleting a role the user is assigned to directly or through a group
When a session is terminated due to a role permission change, the console will redirect to the login screen with a message indicating that the logout was caused by updated role permissions. Users who have not been suspended can log back in immediately, and their new session will reflect the updated role permissions.