Another option could be to leverage Roles, Forms, and Workflows.
You could setup a special role called “Temporary Admin Access”. It won’t have any entitlements, and it should be set to be requestable in Request Center with the appropriate approval chain if needed.
Then, create a workflow that listens for Access Request Decision with a filter that will only trigger when that specific role is requested and it has been approved. You can send a form to the requester asking for additional details, like why they need the admin access and how long they need it for. The workflow will wait for the form to be submitted, and then you can send another form to the appropriate approver (ex. the identity’s manager or another IDN admin) for them to sign off on the request.
Once the form has been submitted, the workflow can then use the update auth user endpoint to assign the ORG_ADMIN user level to the identity. Finally, the workflow will use the Wait action to wait until the specified end date based on the form the identity submitted. Once the end date is reached, the workflow will continue where it left off and use the update auth user endpoint to remove ORG_ADMIN from the identity.
This is such a juicy use case that I’m going to work this into my Advanced Workflows presentation at this year’s Developer Days. I’ll also post a blog post (Blog Posts) about this with the workflow code once I finish it.