AC-02 1103 Configurable Session Expiration and Auto-Logout for Users
Last modified: May 22, 2026
Introduction
This document describes how Private Mendix Platform fulfills the AC-02 (05) control.
| Control ID | AC-02 (05) |
|---|---|
| Control category | AC - Access Control |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Mendix - Private Mendix Platform, Customer - Org |
Control
The organization requires that users are logged out after an organization-defined period of inactivity.
Responsibility
Customer Responsibility
The customer administrator must configure this feature properly according to the organization's own access policy.
Guidance
Customer Responsibility
The customer must configure this feature by performing the following steps:
- Log in to Private Mendix Platform as a user with the System Admin role.
- Go to Settings > Identity & Access Settings.
- In the Session Duration section, specify the number of hours in the Set maximum period for automatic session expiration field.
- Set the Show notification before log user out toggle to ON.
Proof and Remarks
System Admin configures and enables the feature:
The user is logged out after the configured time period:
If the Show notification option is on, the user is alerted before they are logged out:
