Description

Request a customer-managed, UI-capable “break glass” admin user that is local to Port (not via SSO) and fully controlled by the customer (creation, rotation, disablement), for use in IdP/SSO outages or lockout scenarios. This user’s credentials would be vaulted (e.g., in CyberArk) and used only in emergencies.

What’s available today for customers

Service accounts

Non-human, API-only accounts with clientId/clientSecret, managed via the Users blueprint and RBAC. [Service accounts]

Cannot log into the Port UI.

Support users (Port-managed)

What’s needed

A customer-owned “Break Glass User” that:

Authenticates locally to Port (not via SSO/IdP).

Can access the UI with high privilege (e.g., Admin) using existing RBAC.

Has credentials shown once on creation so they can be vaulted and rotated by the customer.

Is clearly labeled as break-glass, with all actions fully logged in audit logs.

Can be governed by org-level settings (who can create it, enable/disable, optional time-limited enablement)