diff --git a/docs/pages/access-controls/access-requests/access-request-configuration.mdx b/docs/pages/access-controls/access-requests/access-request-configuration.mdx index 84a34cc8df2bf..05c78ce360b1b 100644 --- a/docs/pages/access-controls/access-requests/access-request-configuration.mdx +++ b/docs/pages/access-controls/access-requests/access-request-configuration.mdx @@ -189,6 +189,15 @@ privileges: earlier, whichever is shorter. Otherwise, set the duration of elevated privileges to the session TTL. +### Setting when users can assume elevated privileges + +When creating or reviewing Access Requests, you can specify the earliest time +that a user can assume elevated privileges by using the `--assume-start-time` +flag. This flag is available for the +[`tsh request create`](../../reference/cli/tsh.mdx#tsh-request-create) and [`tsh request +review`](../../reference/cli/tsh.mdx#tsh-request-review) commands. The format accepted +is defined in [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339), e.g, `2023-12-12T23:20:50.52Z`. + ### The `request.max_duration` field The `max_duration` option indicates the maximum length of time that a user is diff --git a/docs/pages/reference/cli/tsh.mdx b/docs/pages/reference/cli/tsh.mdx index 0efcbc3cffa4b..5576ddbd997e9 100644 --- a/docs/pages/reference/cli/tsh.mdx +++ b/docs/pages/reference/cli/tsh.mdx @@ -1077,6 +1077,7 @@ $ tsh request create [] | `--request-ttl` | 1 hour | Relative duration like `5s`, `2m`, or `3h`, | Defines how long the Access Request will be in a `PENDING` state before becoming invalid | | `--session-ttl` | Time left on current session | Relative duration like `5s`, `2m`, or `3h` | Defines how long the elevated session will be valid for | | `--max-duration` | none | Relative duration like `5s`, `2m`, `3h`, or `7d` | Defines the maximum duration of the elevated session up to 7 days. The assigned role also must have `max_duration` option specified (optional) | +| `--assume-start-time` | none | String | Sets time roles can be assumed by requestor (RFC3339) | The `--request-ttl` and `--session-ttl` values can not be greater than the @@ -1140,6 +1141,7 @@ $ tsh request review [] | `--approve` | `false` | `true` or `false` | Review proposes approval | | `--deny` | `false` | `true` or `false` | Review proposes denial | | `--reason` | none | String | Review reason message | +| `--assume-start-time` | none | String | Sets time roles can be assumed by requestor (RFC3339) | ### Arguments