In PASM, approving a session request grants a user access to a specific connection. It is important to note that terminating an active session does not automatically revoke the underlying permission. To fully revoke access—whether the user is currently connected or not—an Administrator must manually modify the permissions on the connection itself.
Understanding Access Scenarios
Regardless of the user's current status, access persists until explicitly removed:
- Scenario 1: User is actively connected. Terminating the session disconnects the user, but the granted permission remains. Without further action, the user can reconnect immediately.
- Scenario 2: User is not currently connected. Any previously granted permissions remain active, allowing the user to initiate a new session without requiring further approval (subject to expiration settings).
Steps to Revoke Session Access
To remove granted access, you must manage the permissions for the specific PASM connection.
- In PASM, navigate to Resources -> Connections and identify the target connection that you want to edit.
- Open the Action Menu for that connection (the 3 dots icon) and select Permissions.
- In case of multiple users, click inside the search field and enter at least 3 characters to find the relevant user or role.
- Select the user or role from the filtered list (limited to the top 5 matches).
- To revoke direct access, update the configuration for the selected user/role:
- Deselect "Use": This is the most critical step. Removing the Use permission prevents the user from connecting directly to the endpoint. The Connect button will no longer be available to them.
- Remove the Expiration Date: If an expiration date is set, clear it. This ensures that the previous temporary approval is fully purged alongside the Use permission. (Note: This option is only visible while "Use" is enabled.)
- Maintain "Request" (Optional): Keep the Request permission enabled if you wish to maintain the standard approval workflow. This ensures that while the user has lost direct/persistent access, they may still submit a new request for Administrator approval in the future.
Once the Use permission is deselected and the configuration is saved:
- The previously granted direct access is immediately revoked.
- The user is unable to reconnect automatically.
- Any future access attempts will require a new approval request via the standard PASM workflow.
These steps are effective regardless of whether the session is currently active, idle, or previously utilized.