Overview

When an employee receives a new job function due to changing department, projects, roles or similar,  they immediately require appropriate access fitting for their new position to be able to access the tools they need. 

To ensure least privilege, these employees should also lose access relevant to their previous role that they no longer need. But immediately following a transition, they may have outstanding tasks, incomplete projects or other items related to their previous role that require clean up, hand over or tidying. 

To ensure users can receive their new access levels immediately while retaining their previous access levels temporarily, Torii offers a Grace Period: An optional set time frame after a position transition when the user is still considered “In policy”. Only when the time frame ends (assuming nothing changes), the user’s state changes to “out of policy” and should be remediated.

This article dives into Torii's grace period: What does it do, how it is configured, and how it works. It assumes you are using Torii's access governance feature and have governance policies set up. You can read more about those here.

 

What is a grace period?

A Grace Period is a configurable time frame that starts when a user no longer meets an access policy due to a change in their attributes. For example, this can be a:

• Department change 
• Role or title update 
• Group membership change

During the grace period, the user remains in policy, and access is retained. When the grace  period expires, If the user still does not meet policy criteria, they are marked as out of policy.
 

How do grace periods work?

Each time an active policy is monitored, Torii keeps track of relevant users' inclusion in the groups configured by you in Torii. Torii also detects and logs when a user is no longer part of a group they were in previously (due to change in the user's attributes, or due to change in the group definition). 

When a user's access is determined to be out of policy, Torii checks the user's records to verify if the recently left a group that provided them their current access levels. If such a group is found, the user will not be considered a policy deviation, and be put into a grace period instead. 

This temporary state lasts until the set end date, after which the user's access becomes a deviation (assuming no other changes are made).

When should I use grace periods?

You should use Torii's grace period when:

• You are utilizing Torii's Access governance feature
• You want to support delayed privilege removal (allow users who transition roles to retain access temporarily to previous apps) to complete/hand over task and projects.

How do I configure grace periods for my policies?

The grace period is a global setting affecting all your policies (it cannot be configured on a per-policy basis). You can find the setting for it under the Access governance setting button in any tab in the Access Governance page.

In this page, you can enable or disable the grace period, and set the number of days of temporary access it provides.

Where can I see which users are in a grace period?

You can find all users currently in grace period in the Grace Period tab in the Access Governance page.

In this page, you can see:

• which users are in grace period
• for which app, account and role
• What group provided them this access previously
• When the grace period will end.

You can also extend or immediately end each user's grace period. Ending a user's grace period will mark their access as out-of-policy (a policy deviation).

Important notes

• Currently, Grace periods are not supported for IdP group-membership based policies. 

Best practices

• Use a duration that matches your organization’s workflows
  • Choose a grace period that reflects how long role transitions typically take in your organization. This allows you to balance control, flexibility and risk.
• Use Grace Period to reduce disruption—not to delay enforcement indefinitely

  • A grace period is intended to give users time to complete ongoing work after a role change. It should not be used to postpone necessary access cleanup.

• Monitor the Grace Period tab regularly
  • Users in grace period are temporarily compliant but may become out of policy soon. Regular review helps prevent overlooked access risks.
• Extend only when necessary
  • Use extensions selectively and investigate recurring patterns. Frequent extensions may indicate:
    • Access policies need adjustment, or
    • Role transition processes are taking longer than expected
• Ensure upstream data is accurate
  • Grace periods rely on accurate and timely updates to user attributes (such as department or role). Delays or inconsistencies in source systems can impact policy evaluation and grace period behavior.