Support Access Grant
Data Entity
Description
Records time-bounded access grants allowing Global Administrators (Norse Digital Products staff) to access an organization's operational data for support purposes. Each grant is created by an Org Admin, has a defined expiry, and every support session under the grant is logged in the organization's audit trail.
Data Structure
| Name | Type | Description | Constraints |
|---|---|---|---|
id |
uuid |
Primary key | PKrequiredunique |
organization_id |
uuid |
The organization granting support access | required |
granted_by_user_id |
uuid |
Org Admin user who created the grant | required |
global_admin_user_id |
uuid |
Global Admin user granted access; null means any Global Admin may use the grant | - |
status |
enum |
Current lifecycle state of the grant | required |
granted_at |
datetime |
Timestamp when the grant was created | required |
expires_at |
datetime |
Timestamp when the grant automatically expires; access is denied from this moment regardless of status | required |
revoked_at |
datetime |
Timestamp when an Org Admin explicitly revoked the grant before expiry | - |
revoked_by_user_id |
uuid |
Org Admin user who revoked the grant | - |
reason |
text |
Human-readable reason the Org Admin provided for granting support access | - |
scope |
json |
Optional JSON array of resource types the Global Admin is permitted to read (e.g. ["users","activities"]); null means full org read access | - |
last_accessed_at |
datetime |
Timestamp of the most recent access event under this grant; updated on each use | - |
access_count |
integer |
Running count of access events under this grant | required |
created_at |
datetime |
Row creation timestamp | required |
updated_at |
datetime |
Row last-update timestamp | required |
Database Indexes
idx_support_access_grants_organization_id
Columns: organization_id
idx_support_access_grants_status_expires_at
Columns: status, expires_at
idx_support_access_grants_granted_by_user_id
Columns: granted_by_user_id
idx_support_access_grants_global_admin_user_id
Columns: global_admin_user_id
idx_support_access_grants_org_active
Columns: organization_id, status, expires_at
Validation Rules
expires_at_in_future
error
Validation failed
revoked_at_requires_revoked_by
error
Validation failed
status_transition_valid
error
Validation failed
global_admin_user_id_is_global_admin_role
error
Validation failed
no_duplicate_active_grant
error
Validation failed
Business Rules
only_org_admin_can_grant
Only a user with the Org Admin role for the target organization may create or revoke a support access grant for that organization.
expiry_auto_removes_access
When expires_at is reached the grant is automatically treated as expired; status must transition to 'expired' and the Global Admin loses access immediately without any manual action.
revocation_immediate
Revoking a grant (setting status = 'revoked') removes Global Admin access immediately; any in-flight session must be invalidated.
every_access_audit_logged
Every access event by a Global Admin under a support grant must produce an entry in the organization's audit_logs table referencing the grant ID.
global_admin_no_default_org_access
Global Admins have no access to an organization's operational data unless an active, non-expired support_access_grant exists for that organization.
grant_expiry_max_duration
expires_at must not be set more than 90 days after granted_at to prevent indefinitely open grants.