Identity Template: configurable per customer

Temporary Privilege Elevation

Grant time-boxed elevated access (an admin role or privileged group) with automatic expiry and a full audit trail, configurable per customer.

Integrates with

Entra IDOkta

The problem

Standing administrative access is one of the largest avoidable risks in mid-market IT. Privileges granted "just for now" rarely get removed, and they accumulate until a security review finds accounts with rights nobody remembers approving.

What AscendCore does

A user or admin requests elevated access from Slack or Teams. AscendCore proposes adding them to the privileged group for a fixed window, routes it to an approver, and on approval schedules the automatic removal so the elevation expires on its own. Every grant and expiry is appended to the tamper-evident audit chain.

Status

Template. The elevation groups, time windows, and approver routing are configurable per customer. Connect it to your Entra ID or Okta tenant to enable.

Runbook source preview

Versioned, deterministic, auditable

Every runbook is defined as a versioned YAML manifest with explicit triggers, steps, and approval policies. The runbook itself is the audit-ready record of what AscendCore can and will do. Chat is just the interface that triggers it.

name: temporary-privilege-elevation
trigger:
  channels: [slack, teams]
  intents: [privilege_elevation]
steps:
  - resolve_target_user
  - resolve_elevation_group
  - admin_approval
  - add_to_group_with_ttl     # window configurable per request
  - schedule_auto_revoke      # elevation expires on its own
approval:
  required: true
  approvers: [it-admins, sec-team]

Want this runbook?

Configure temporary privilege elevation for your environment

Templates are configurable per customer environment. Talk to us about the specific systems and approval flow you need.

See plans & pricing Browse all runbooks

More identity runbooks

Live

Access Role Change

Multi-system orchestrated role transitions for promotions, transfers, and contractor-to-FTE conversions. Five seed roles ship out of the box (support tiers, sales SDR/AE, engineering contractor/FTE/intern, HR generalist/manager); each transition produces a single approval card showing the full access diff and executes sequentially across Okta + Entra + Jira + M365 with per-step audit outcomes.

Live

Account Unlock

Automate Microsoft Entra ID and Okta account unlocks from Slack and Teams. Identity verification, approval-gated unlock, failed-login counter reset.

Live

Group Membership Management

Automate Microsoft Entra security group, M365 group, and distribution list membership changes from Slack and Teams. Name-resolved, approval-gated, idempotent.