generated from coulomb/repo-seed
45 lines
1.3 KiB
Markdown
45 lines
1.3 KiB
Markdown
# Pattern: Time-boxed Privilege Elevation
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: NetKingdom, ops-warden, flex-auth
|
|
Genesis family: Identity and access
|
|
|
|
## Problem
|
|
|
|
Permanent privileged access increases blast radius and makes it hard to
|
|
distinguish ordinary access from exceptional authority.
|
|
|
|
## Context
|
|
|
|
Use this pattern for operator access, tenant admin elevation, emergency
|
|
maintenance, agent tasks, production data access, and SSH certificate
|
|
issuance.
|
|
|
|
## Forces
|
|
|
|
- Operators need enough authority to fix incidents.
|
|
- Privilege should expire automatically.
|
|
- Elevation should include reason, scope, approval, and audit.
|
|
- Break-glass must remain separate from ordinary elevation.
|
|
|
|
## Solution
|
|
|
|
Grant privileged roles or credentials only for a bounded purpose, scope,
|
|
and TTL. The elevation request records actor, tenant, resource, reason,
|
|
approval, assurance, and expiration.
|
|
|
|
## Verification
|
|
|
|
- Elevated access expires without manual cleanup.
|
|
- The platform records who elevated, why, for what, and until when.
|
|
- Expired elevation cannot be reused by agents or background sessions.
|
|
- Emergency break-glass paths are distinguishable from normal elevation.
|
|
|
|
## Related Patterns
|
|
|
|
- Short-Lived SSH Certificates.
|
|
- Short-lived Credentials.
|
|
- Break-glass Access.
|
|
- Central Audit Ledger.
|