Standing access creates avoidable risk
Permanent privileged roles are difficult to justify for high-risk identities and expand the blast radius of operational mistakes or misuse.
Feature
On-Demand Privileged Access
Control privileged access for high-risk identities with explicit requests, approvals, and time-limited permissions across heterogeneous IAM systems.
The Identity Operations Platform lets organizations define permission scopes, bind operators to approved role boundaries, and issue short-lived transitory permissions for specific actions when additional access is justified.
Talk to sales
Built for privileged identity operations across heterogeneous enterprise IAM environments
Microsoft Entra ID
Active Directory
LDAP
SCIM
OpenText Advanced Authentication
The Challenge
High-risk account access needs tighter operational boundaries
Approval boundaries are often too coarse
Many organizations can approve access only at role level, not for a specific target identity, action, or time window.
Compliance evidence is fragmented
When request, approval, execution, and expiry are recorded in different systems, internal reviews and audit preparation become slow and unreliable.
Control Model
Permission scopes and requests instead of broad permanent access
On-Demand Privileged Access is built for organizations that need to keep sensitive identities under control without slowing down legitimate operations. The model combines scoped authorization, temporary requests, and bounded approvals in one operational flow.
Define permission scopes around critical identities
Create clear permission boundaries for high-risk accounts, administrative populations, or other sensitive identity sets instead of granting broad platform-wide access.
Bind operators to approved roles and scopes
Operators can act only within the scopes assigned to their role, which makes responsibilities explicit and keeps authority aligned with organizational policy.
Request temporary permission for a specific action
If an operator is not authorized, the requested action stays blocked by default. The operator can then submit an on-demand request for that exact action and target context.
Approve with a bounded validity window
Accepted requests produce short-lived transitory permissions for the approved scope only. Access is time-limited and removed automatically after use or expiry.
Keep privileged actions free from broad standing access
High-risk operations can be executed without handing out permanent elevated roles, which supports least privilege and reduces long-lived exception access.
Record evidence for every approval path
Requester, approver, managed identity target, action scope, outcome, and escalation path remain visible as part of the operational audit trail.
Request Workflow
How on-demand access is granted
1. Action is evaluated at request time
Authorization is checked when the operator attempts the operation, not only at login time. If the operator is not authorized, the action is blocked immediately.
2. A targeted request is submitted
The operator requests temporary permission for the specific managed identity target and the specific action that is needed.
3. A supervisor decides Accept, Reject, or Escalate
The assigned supervisor reviews business context, risk, and justification. If required, the request can be escalated to another named supervisor.
4. Approved access expires automatically
Accepted requests issue a transitory permission for the approved action context only. The permission is short-lived and removed after use or expiry.
Compliance and Governance
Make privileged access boundaries reviewable and easy to justify
Customers need more than a temporary elevation button. They need a control model that makes it straightforward to define who may request access, for which identities, under which approval path, and with what audit evidence for internal and external review.
Clear permission boundaries
Customers can separate sensitive administrator accounts, break-glass users, and other high-risk identities into explicit scopes with their own approval expectations.
Supervisor accountability
Approval ownership stays explicit because every decision is tied to the assigned supervisor and every escalation step remains attributable.
Audit-ready operational evidence
The platform records who requested access, who approved it, which identity and action were in scope, and what the final execution outcome was.