Support Access Grant Service
Component Detail
Description
Manages creation, expiry enforcement, and revocation of time-bounded Norse Global Admin support access grants for a tenant organization. Enforces expiry server-side on every access check, not only at grant time. Emits an audit_log entry for every grant and revocation event.
support-access-grant-service
Sources & reasoning
The support-access grant mechanism is called out as a hard tenant-isolation requirement in the feature description. Separating it into its own service ensures expiry is enforced server-side on every access evaluation and that audit trail entries are reliably emitted - concerns that are distinct from general settings CRUD.
No source references — this artifact was included based on reasoning alone (see above).
Responsibilities
- Create a new support access grant with an explicit expiry timestamp
- Revoke an active grant immediately on admin request
- Enforce expiry server-side on every Global Admin access evaluation
- List all active and recently expired grants for the organization
- Emit audit_log entries for grant creation and revocation
Interfaces
createGrant(orgId: string, expiresAt: Date): Promise<SupportAccessGrant>
revokeGrant(orgId: string, grantId: string): Promise<void>
isGrantActive(orgId: string, globalAdminUserId: string): Promise<boolean>
listGrants(orgId: string): Promise<SupportAccessGrant[]>
Relationships
Dependencies (3)
Components this component depends on
Related Data Entities (6)
Data entities managed by this component