Privileged Access Management

Privileged Access Management lets you take admin rights away from everyday user accounts and hand them back only when they’re actually needed: for a few minutes, on one machine, with a recorded decision behind it. Instead of standing local-administrator membership waiting to be abused, a user requests elevation in the moment, an approver decides, and the access disappears on its own when the window closes.

Three Elevation Flows, One Queue

PAM governs three kinds of elevation that all land in the same approval queue: UAC intercept, where a Windows UAC consent prompt is captured and routed for approval instead of being decided by a local password; Tech JIT admin, where a technician requests temporary local-admin access for hands-on work; and AI tool actions, where a privileged action proposed by the Breeze AI agent or Helper requires a human to sign off before it runs.

The Windows UAC Approval Flow

When a managed Windows device hits a UAC elevation prompt, the agent observes it and creates an elevation request describing the executable’s path, signer, hash, and requesting user. PAM evaluates the request, and if no rule auto-decides it, routes it to an approver who can respond from the web console, the Helper desktop app’s native dialog, or the mobile app with biometric step-up. On approval a just-in-time admin window opens; on denial the elevation is blocked.

Just-in-Time Admin Without Stored Passwords

PAM grants temporary admin rights without ever creating a permanent privileged account or sending a password over the network. The agent maintains a dormant, disabled, hidden local admin account that sits powerless until an elevation is approved. On approval it mints a fresh random password locally, enables the account, and adds it to the Administrators group for exactly the approved window. When the timer expires or the elevation is revoked, the agent strips the rights, re-randomizes the password, and disables the account again. The credential is never written to config or transmitted to the server.

Time-Boxed Approvals and Early Revocation

Approvers set an approval window of 1 to 1440 minutes, a 24-hour maximum, that governs how long granted access stays live before it revokes itself. Every decision can carry a reason that’s recorded in the audit trail. While an elevation is still active, you can end it early by revoking it with a required reason, pulling the access back at once. If two people act on the same request simultaneously, only the first decision wins.

Automatic Rules for Routine Cases

Rules let routine, trusted elevations resolve automatically instead of sitting in the queue. Each rule carries a priority, identifying criteria, and a verdict of auto-approve, auto-deny, require approval, or ignore. Executable rules match on code-signer, file hash, file path glob, or parent process, while AI tool-action rules match on tool name and risk tier; both can narrow further by user, AD group, and time window. A Software Policy allowlist or blocklist decides first; otherwise PAM rules run in priority order and the first match wins.

Separation of Duties and Full Audit

PAM never lets a request self-approve. The approver is always a separate identity from the requester, an AI agent can’t sign off on the action it proposed, and approval requires a human with the right permission confirmed by MFA. The Audit tab is the permanent record of every elevation decision, filterable by status, flow, and date range and exportable to CSV, with each entry naming the human approver or the rule that made an automatic call, so there’s never ambiguity about who granted access.