Quick Summary: Oleria Trustfusion, an AI-native identity security platform, provides Time-Bound Access Auto-Revocation built into every access request — duration is set at submission, and access is removed automatically when the timer expires, eliminating standing access without any manual cleanup.
Access requests get granted permanently because no one wants to deal with re-requesting. The user asks for what they need now, the approver grants it, and three months later nobody remembers why the access exists. Compliance review three quarters later flags it as dormant; revocation drags through tickets.
This is the source of standing access in most organizations. It's not malice — it's the absence of a built-in expiry mechanism. Identity tools that treat duration as an afterthought (or as a separate "JIT" product line) leave the standing-access tail intact.
Time-bound is the default. The system handles the expiry, the revocation, and the audit. Standing access from access-request workflows, eliminated.
Standing access from old requests Eliminated
Manual revocation tickets Eliminated
Re-request for ongoing access Routine, not blocked
Audit findings on expired access Eliminated
Oleria revokes only the request-granted access. Birthright access (from the joiner bundle, for example) remains. The user retains the baseline access; the additional time-bound access expires. Audit trail shows both: what was granted by request, what's birthright.
Yes — wherever the access was provisioned through Oleria, it can be revoked through Oleria. The auto-revoke fires the same revocation logic as any other workflow. Per-app revocation paths handle the specifics (account disable, group removal, role drop).
Permanent access is an explicit option for cases where it's appropriate — typically requires a higher-tier approver, additional justification, and an annual review. Auto-revoke remains the default; permanent access is a documented exception, captured in the audit pack.
Re-request at expiry. The user gets a notification before the timer hits zero; if they still need the access, one click extends or re-submits the request. Approver re-confirms. The pattern is short-cycle re-affirmation rather than permanent grant — and the affirmations are captured in audit.
Configurable per organization, per app. Common defaults: 7 days for sensitive apps, 30 days for standard apps, 90 days for low-risk. The defaults make time-bound the path of least resistance. Users can request shorter; longer durations may require additional approval depending on policy.
