Admin Access. Without the Admin Password.
CtrlLayer replaces permanent admin rights with just-in-time, app-scoped elevation that is cryptographically secured, time-limited, and fully auditable. Users get what they need. Attackers get nothing.
How Elevation Works
From request to audit log in seconds. Here is the complete elevation lifecycle.
User Requests Elevation
A user right-clicks an application and selects "Run with CtrlLayer elevation" or requests elevation through the system tray agent. The request includes the application name, hash, path, and optional justification text. No admin credentials are shared or exposed at any point.
Policy Check
The request is evaluated against your organization's elevation policies in real-time. Policies can be configured at the organization, group, or user level with granular rules based on application identity, publisher certificate, file hash, path patterns, and time-of-day restrictions.
Known-safe applications matching policy rules are approved instantly without admin intervention.
Unknown or policy-flagged applications are routed to an administrator for manual approval or denial.
Applications matching block rules are denied with an explanation message to the user.
JWT Grant Issued
Approved requests generate a cryptographic JSON Web Token signed with RS256. The token encodes the specific application hash, the requesting user's identity, the approved time window, and the granting administrator's identity. This token is tamper-proof and non-transferable.
Grant Token Contains
Time-Limited Elevation
The application runs with elevated privileges for the approved duration. Elevation is scoped exclusively to the approved application process. The user cannot leverage this elevation to install other software, modify system settings, or elevate other applications. When the time window expires, elevation is automatically and irrevocably revoked.
Complete Audit Log
Every step is recorded: the request, policy evaluation, approval decision, grant issuance, elevation start, elevation end, and any actions taken during the elevated session. This audit trail provides complete accountability for compliance and forensic investigation.
App-Scoped Elevation Explained
Traditional admin rights give access to everything. CtrlLayer elevation gives access to exactly one application.
Installing a Printer Driver
User has full admin access. Can install the driver, but can also install any other software, modify registry, disable antivirus, create new user accounts, and access protected system files. If compromised during this window, attacker inherits full system control.
User gets elevation scoped only to the printer driver installer. The driver installs successfully. Nothing else can be done with this elevation. Even if the user is compromised, the attacker can only run the specific installer that was approved.
Running a Developer Tool
Developer has permanent admin rights because they need to run Docker, debugging tools, and local dev servers. Every application they install, every website they visit, every email attachment they open inherits those same admin privileges.
Developer requests elevation for Docker Desktop. Auto-approved by policy for recognized developer tools. Docker runs with elevation. Their browser, email, and other applications remain at standard user level. The attack surface is reduced by 90%+.
Updating Line-of-Business Software
User calls IT. IT either remotes in (10-15 minutes per request) or gives the user admin rights temporarily (and forgets to remove them). Neither approach scales. Both create security gaps.
User requests elevation for the software updater. If the updater is in the approved list, auto-approved in seconds. If not, IT approves from the dashboard with one click. User runs the update immediately. Elevation revokes when the update completes or the time window expires.
QR Tech Delegation
For on-site technicians who need elevation authority without permanent admin credentials.
Admin Generates QR Code
An administrator generates a time-limited QR delegation code from the CtrlLayer dashboard. The code specifies the scope of delegation: which applications, which devices, and for how long.
Tech Scans on Device
The on-site technician scans the QR code using the CtrlLayer agent on the target device. The agent validates the delegation code and establishes the technician's temporary elevation authority.
Scoped Work Begins
The technician can perform approved elevated actions on the device for the duration of the delegation. All actions are logged under the technician's identity with the delegation context preserved in the audit trail.
Automatic Expiration
When the delegation window expires, all elevated access is revoked. No credentials were shared. No admin accounts were created. Complete accountability is maintained.
Why This Matters
- No shared admin passwords for field technicians
- No permanent accounts created on client devices
- Complete audit trail of all technician actions
- Delegation scope limits what technicians can do
- Automatic expiration prevents credential persistence
- Perfect for MSP field service operations
Emergency Elevation
Because sometimes you need admin access right now. Emergency elevation provides break-glass procedures with enhanced accountability.
When to Use It
Emergency elevation is designed for situations where normal approval workflows cannot be followed: system crashes requiring immediate repair, security incidents requiring rapid response, or after-hours situations where no approver is available.
How It Works
Users can trigger emergency elevation with a documented justification. The elevation is granted immediately but with enhanced logging: every action during the emergency session is captured with additional detail. Administrators and security teams are notified immediately.
Accountability
Emergency elevation events are flagged in the audit log for mandatory review. Reports show emergency elevation frequency per user and per device, enabling identification of patterns that may indicate policy gaps or abuse.
Help Desk Integration
Elevation requests integrate with your existing ticketing workflow.
Ticket-Linked Approvals
Elevation requests can reference help desk ticket numbers. Approved elevations are logged with the ticket reference, creating a complete audit trail that connects IT support workflows with privilege management events.
Approval Notifications
When elevation requests require manual approval, administrators are notified through configured channels. Approvals and denials can be performed from the dashboard or through integrated notification workflows.
Reporting and Analytics
Track elevation request volume by user, department, application, and time period. Identify applications that generate the most requests. Optimize auto-approval policies to reduce manual workload while maintaining security.