Just-in-Time Access
a.k.a.:
- Just-In-Time (JIT) Permission Management
- Just-In-Time Privileged Access Management (JIT PAM)
TL;DR
JIT access workflow
- A user initiates a request for privileged access to a resource such as a network or virtual machine.
- The request now undergoes an approval process that is typically automated for efficiency. If not, an administrator with the requisite authority manually approves or rejects the privileged access request.
- If approved, the user gains the necessary level of privilege tailored for the task at hand. Note that the access is temporary and remains active for the duration needed to complete the designated task.
- Once the user concludes their task and logs out, the access privilege automatically expires, or the account is temporarily deactivated until the next instance.
Types of Just-In-Time Access
Broker and Remove Access or Justification-Based Access
Ephemeral Accounts
Temporary Elevation or Privilege Elevation
JIT Access: Best Practices
Identify critical assets
Use role-based access control (RBAC)
Define and enable temporary access
Record and audit activity
Assign responsibility
Use short-lived (ephemeral) credentials
source: https://devops.com/what-is-just-in-time-jit-permission-management-and-why-is-it-essential/
Microsoft Entra Privileged Identity Management
Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
- Provide just-in-time privileged access to Microsoft Entra ID and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multifactor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
- Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments
source: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
Related Terms
- Principle of least privilege
- Standing privileges (also called “always-on access”)
- Zero Trust security