Skip to main content
Skip table of contents

Enabling Just-in-time Access

A true least-privilege security model requires users, processes, applications, and systems to have “just enough” rights and access to perform tasks —and for no longer than necessary.

Just-in-Time (JIT) access provisioning grants a user temporary, on-demand privileged access to resources. It’s a form of access management that is meant to address scenarios in which a user who may not typically need to use certain applications or services can receive timely access to those resources when they need it, but only for a short period of time.

Organizations are increasingly effective at applying the “just enough” access piece using privileged access management (PAM) solutions, but they have largely neglected the time-limited part. Tying privileged access to a specific time frame makes it possible to ensure access is temporary. When the current session is closed, the permissions are taken away, preventing an unauthorized access. If the user needs continued access, they must submit another request for that privileged resource.

Configure a Just-In-Time Policy

  1. In order to configure a JIT policy, select PAM from the product navigator → Policies → select Just In Time from the sidebar under the General menu.

  2. Enter the details in the form provided with Policy Name and description.There are three types of Just-In-Time policy configurations possible:

  • Enable/ Disable

    • In this configuration the account on the target server is in disabled mode. When we take the session for that target server the account is enabled and the session gets established successfully. On terminating the session the account on the target server again goes back into the disabled mode.

  • Provision/ De-provision

    • In this configuration the accounts get created on both the PAM as well as the target servers. When the accounts are no longer needed they can be de-provisioned in just one click across all the target servers.

  • Access Based Elevation

    • In this configuration the account that is added is elevated to higher privileges only for the time duration that the session is taken. After the session is disconnected it is again brought back to its original privilege level.

  1. Add Asset Type, the accounts it applied to, respective roles and its Active/Inactive status.

  2. Click on Save

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close