# Pattern: Time-boxed Privilege Elevation Status: seed Readiness target: RL3 production Primary owners: NetKingdom, ops-warden, flex-auth Genesis family: Identity and access ## Problem Permanent privileged access increases blast radius and makes it hard to distinguish ordinary access from exceptional authority. ## Context Use this pattern for operator access, tenant admin elevation, emergency maintenance, agent tasks, production data access, and SSH certificate issuance. ## Forces - Operators need enough authority to fix incidents. - Privilege should expire automatically. - Elevation should include reason, scope, approval, and audit. - Break-glass must remain separate from ordinary elevation. ## Solution Grant privileged roles or credentials only for a bounded purpose, scope, and TTL. The elevation request records actor, tenant, resource, reason, approval, assurance, and expiration. ## Verification - Elevated access expires without manual cleanup. - The platform records who elevated, why, for what, and until when. - Expired elevation cannot be reused by agents or background sessions. - Emergency break-glass paths are distinguishable from normal elevation. ## Related Patterns - Short-Lived SSH Certificates. - Short-lived Credentials. - Break-glass Access. - Central Audit Ledger.