Advanced Maintenance

This section covers emergency procedures, manual overrides, and out-of-band maintenance required for long-term operational excellence of the PAM-Pro platform.

1. Emergency Break-Glass

In the event of a total identity provider lockout, System Operators can activate the Break-Glass Protocol. This requires a 5-person physical authorization and utilizes the offline master hash to restore administrative control over the Azure compute plane.

2. Manual Cache Pruning

If account discovery becomes desynchronized from the actual Entra ID state, Operators can trigger a Full Cache Rebuild. This action flushes the localized "Shared Brain" metadata and forces a fresh, deep-scan of the client's directory roles.

3. Updating the Compute Plane

When new versions of the PAM-Pro "Private Body" are released, Operators must coordinate the rolling update of the Azure Container Apps. The Update Orchestrator ensures that rotations and checkouts continue without interruption during the deployment cycle.

4. Database Maintenance

While PAM-Pro is "SaaS-lite," the central Master Registry periodically requires indexing and vacuuming. These tasks are scheduled during standard 2:00 AM maintenance windows but can be manually triggered if performance degradation is detected.

Operational Mandate: All advanced maintenance actions must be preceded by a formal Change Request and documented within the immutable System Operator log for audit accountability.