Permission Elevation Workflow for Platform Engineers (Just-in-Time Admin Access) | Feature Requests

Permission Elevation Workflow for Platform Engineers (Just-in-Time Admin Access)

Florian Nowarre

Problem / Use Case

As a Platform Engineer using meshStack's Platform Builder, I can create building blocks that

operate using workspace-scoped ephemeral API keys. This model works well for day-to-day

automation — but a significant class of operations requires admin-level roles (Organization Admin,

Organization User, or FinOps Manager) that go far beyond what ephemeral keys support today.

A concrete example: provisioning or managing

meshstack_payment_method

resources via the

Terraform provider requires one of these elevated roles. There is currently no way to perform

this operation from within a building block or as a platform engineer without being permanently

assigned full admin rights.

This creates a damaging trade-off: either I get permanent admin access (violating least-privilege

principles), or I can't automate a legitimate part of my platform's lifecycle at all.

Key pain points:

No mechanism to request a time-limited, scoped elevation of permissions for a specific

operation (e.g., "create payment methods in workspace X for the next 2 hours").

No approval workflow that lets a central admin review and grant such a request, with a clear

audit trail.

Platform engineers are effectively blocked from fully automating platform lifecycle operations

that involve financial or cross-workspace resource management.

The only escape hatch today is permanent full admin assignment — a clear security anti-pattern.

Value / Impact

Introducing a just-in-time (JIT) permission elevation workflow would:

Enforce least privilege
by default: platform engineers work within their workspace scope,

and elevated access is always time-limited and explicitly approved.

Unblock legitimate automation
: building blocks could request and use elevated permissions

(e.g., for payment method management) as part of a controlled, auditable flow — without

requiring permanent admin accounts.

Improve auditability
: every elevation request, approval, and use would be traceable in

meshStack's event log, supporting compliance and security requirements.

Reduce blast radius
: if a workspace API key or building block is compromised, the

attacker does not gain persistent admin access — only an already-approved, short-lived token.

Align with industry patterns
: JIT access (as seen in Azure PIM, AWS IAM Identity Center,

and HashiCorp Vault) is a widely adopted security best practice that our customers' security

teams already expect.

Context / Links

This request is closely related to the Canny post on

which addresses the governance side of this same problem (approving a new BBD

version

with

expanded permissions). A JIT elevation workflow is the operational complement: allowing a

platform engineer to temporarily gain elevated access to perform a specific task, with admin

oversight and a full audit trail.

For questions or to discuss your specific use case, reach out to support@meshcloud.io.