generated from coulomb/repo-seed
1.3 KiB
1.3 KiB
Pattern: Time-boxed Privilege Elevation
Status: seed Readiness target: RL3 production Primary owners: NetKingdom, ops-warden, flex-auth Genesis family: Identity and access
Problem
Permanent privileged access increases blast radius and makes it hard to distinguish ordinary access from exceptional authority.
Context
Use this pattern for operator access, tenant admin elevation, emergency maintenance, agent tasks, production data access, and SSH certificate issuance.
Forces
- Operators need enough authority to fix incidents.
- Privilege should expire automatically.
- Elevation should include reason, scope, approval, and audit.
- Break-glass must remain separate from ordinary elevation.
Solution
Grant privileged roles or credentials only for a bounded purpose, scope, and TTL. The elevation request records actor, tenant, resource, reason, approval, assurance, and expiration.
Verification
- Elevated access expires without manual cleanup.
- The platform records who elevated, why, for what, and until when.
- Expired elevation cannot be reused by agents or background sessions.
- Emergency break-glass paths are distinguishable from normal elevation.
Related Patterns
- Short-Lived SSH Certificates.
- Short-lived Credentials.
- Break-glass Access.
- Central Audit Ledger.