Support Access
Active
Support and PlatformAdmin can request grants, PlatformAdmin approves with approver separation, Auditor is read-only, BillingAdmin cannot mutate grants, and no live tenant user provisioning is executed.
Status summary
Readable status text is paired with semantic badge color.
Grant status
Active
Time-boxed support access lifecycleScope
Support
Requested tenant role scopeApprovals
1
Requester and approver must be different peopleExternal mutation
Disabled
No Graph, Key Vault, ERPNext, or runtime mutationRequest Support Access
Open a deterministic support access request for two-person approval.
Active
Grant Evidence
Latest support access operation, control-plane audit, and tenant audit evidence.
Operationoprun_support_access_fixture_001
TypeManageSupportAccessGrant
StatusSucceeded
Audit actionSupportAccessGranted
Tenant audittenant-audit://support-access/grant_fixture_support_access_001/approved
Mutates external resources
false
Action: Approve
Support access planning remains local and audit-linked.
Support access planning remains local and audit-linked.
Support Access Grants
Auditor-visible grant lifecycle records include request, approval, expiry, revocation, and dual-audit evidence.
Active | Support | 07 Oct 2026, 12:00 | 2 |
Using deterministic support access fixture.
Customer portal surfaces never show support access controls, staff identities, SSO refs, logs, or runtime diagnostics.
Customer portal surfaces never show support access controls, staff identities, SSO refs, logs, or runtime diagnostics.