6.4 KiB
Data Model: Enterprise Access Boundary & Support Access Governance v1
Date: 2026-05-05
Branch: 276-support-access-governance
Overview
This slice adds one new workspace-owned truth: support-access grant history. Existing audit_logs, BreakGlassSession, and workspace settings remain in place. The new grant history drives support-access state, approval, expiry, and recovery gating.
Persisted Truth
1. Support Access Grant
Persistence: New support_access_grants table
Ownership: Workspace-owned
Scope: Many historical rows per workspace, with dedupe preventing overlapping active or pending grants for the same workspace, platform actor, and scope.
| Field | Type | Nullable | Validation | Notes |
|---|---|---|---|---|
id |
bigint | no | primary key | Internal record id |
workspace_id |
bigint | no | foreign key | Primary customer scope anchor |
requested_by_platform_user_id |
bigint | no | foreign key | Platform actor who requested support access |
approved_by_user_id |
bigint | yes | foreign key | Workspace owner who approved the risky recovery path |
scope |
string | no | one of audit_view, workspace_recovery |
Bounded v1 support scope catalog |
status |
string | no | one of requested, active, denied, expired, ended |
Lifecycle state |
approval_mode |
string | no | one of auto, owner_required, ownerless_waiver |
Explains why approval did or did not occur |
reason |
text | no | trimmed, min length 5 | Operator-supplied reason |
waiver_reason |
text | yes | required when approval_mode=ownerless_waiver |
Explicit ownerless recovery waiver context |
ttl_minutes |
integer | no | positive integer, bounded max from config or policy | Requested active duration |
requested_at |
datetime | no | set on creation | Request timestamp |
approved_at |
datetime | yes | required when owner approval occurs | Approval timestamp |
starts_at |
datetime | yes | required when grant becomes active | Active timestamp |
expires_at |
datetime | yes | required when grant becomes active | Grant expiry |
ended_at |
datetime | yes | set when support access is ended manually | Manual end timestamp |
denied_at |
datetime | yes | set when owner denies a request | Denial timestamp |
created_at |
datetime | no | standard timestamp | Row creation |
updated_at |
datetime | no | standard timestamp | Row update |
Write rules:
workspace_id,requested_by_platform_user_id, andscopeare immutable once created.requestedis the initial state for every new row.audit_viewmay move directly fromrequestedtoactivewithapproval_mode=auto.workspace_recoverymoves fromrequestedtoactiveonly after owner approval or ownerless waiver.- Active grants may transition to
expiredorended. Requested grants may transition todenied.
Dedupe rule:
- At most one non-terminal row may exist for the same
workspace_id,requested_by_platform_user_id, andscopewhilestatusisrequestedoractive.
Existing Persisted Truth Reused
2. Audit Log
Persistence: Existing audit_logs table
Owner: Existing audit infrastructure
This slice reuses audit_logs for customer-visible history and export. Support-access events become a first-class audit action family.
3. Break-Glass Session
Persistence: Existing session-backed BreakGlassSession
Owner: Existing system-plane emergency control
Break-glass remains session-backed and system-wide. It is not replaced by support-access grant history, but recovery gating now depends on both.
Code-Owned Truth
4. Support Scope Catalog
Persistence: none, code-owned
| Scope | Label | Risk class | Requires owner approval? | Allows mutation? |
|---|---|---|---|---|
audit_view |
Audit trail review | low | no | no |
workspace_recovery |
Workspace recovery | high | yes when owners exist | yes |
5. Approval Mode Catalog
Persistence: none, code-owned
| Mode | Meaning |
|---|---|
auto |
Low-risk support access activated immediately |
owner_required |
Workspace owner must approve before activation |
ownerless_waiver |
No owner existed, so recovery required explicit break-glass-backed waiver |
Derived Truth
6. Active Support Access Summary
Persistence: none, derived at runtime
Owner: SupportAccessGrantResolver
| Field | Type | Required | Notes |
|---|---|---|---|
workspace_id |
int | yes | Current workspace |
active_grant_id |
int | no | Active grant when present |
pending_grant_id |
int | no | Pending risky grant when present |
scope |
string | no | Current or pending scope |
scope_label |
string | no | Operator-facing scope label |
status |
string | yes | Current support-access state summary |
reason |
string | no | Active or pending reason |
requester_label |
string | no | Platform requester display label |
approval_mode |
string | no | Explains activation path |
approver_label |
string | no | Owner approver display label |
expires_at |
datetime | no | Current expiry |
needs_break_glass |
bool | yes | True only for workspace_recovery |
7. Support Access Export Filter
Persistence: none, derived at runtime
Owner: existing admin audit-log page
The filter preset isolates audit actions that belong to the support-access family and remain in the active workspace scope only.
State Transitions
| From | To | Trigger | Consequence |
|---|---|---|---|
| none | requested |
platform operator requests support access | grant becomes pending |
requested |
active |
auto activation or explicit approval | support access becomes active until expiry or manual end |
requested |
denied |
workspace owner denies recovery request | no active support access is granted |
active |
expired |
current time passes expires_at |
recovery and audit-view access end automatically |
active |
ended |
platform operator ends support access | support access ends early |
Boundaries Explicitly Preserved
- No tenant member impersonation, no direct customer session bridge, and no unrestricted admin browsing are introduced.
workspace_recoverydoes not bypass break-glass andaudit_viewdoes not mutate customer state.- Support-access history remains workspace-scoped even when audit rows include tenant references.