My understanding is, that roles can be restricted to a time period, like only Mondays and Tuesdays or only from 8 am to 6 pm or from January 1st 2020 to December 31st 2020. This can be achieved by a time policy.
My problem is to restrict the assignment of a role to a user for configurable time period (1 year, 2 Years, …) and NOT the role itself. After the period ends, the user is actively informed about the planned termination of this role assignment.
He can then extend the assignment for another period or the assignment terminates.
The goal is to prevent people working for the Company over years to collect roles and keep them for ever, as people tend to never give up what they have.
Is there a way to achieve this in Keycloak out of the box or does anyone know a Extension for this?
Thanks in advance.