Ephemeral Privilege

The Principle

Temporary access must be a first-class concept in the identity model. On-call engineers need elevated permissions only during their rotation. Contractors need access only for the duration of their engagement. Emergency responders need break-glass access that expires automatically. Time-bound access is not an afterthought. It is not managed with calendar reminders and “don't forget to revoke” tickets.

The Problem With Standing Privilege

A permission that exists permanently can be exploited for as long as it exists. A person who has production database access because they were on call six months ago still has that access today because no one revoked it. Standing privilege is the accumulation of temporary needs that were never cleaned up.

Time as a Dimension of Access

In the declarative model, access definitions can include temporal constraints: start dates, end dates, duration limits, recurring windows. A contractor's access expires on their contract end date without anyone filing a ticket. An on-call engineer's elevated permissions activate at the start of their rotation and deactivate at the end. An emergency access grant expires after a defined window and must be explicitly renewed.

This addresses the class of problems where temporary access becomes permanent through neglect. The system enforces time boundaries with the same reliability that it enforces permission boundaries.

Antipatterns

• Temporary access is tracked with calendar reminders and manual revocation tickets.
• No one can list which access grants have exceeded their intended duration.
• Contractor access persists after the contract ends because no one filed a revocation ticket.
• Standing privilege is the default, not the exception.