Just-in-Time Access
What is Just-in-Time Access?
Just-in-Time AccessAn access model that grants elevated or sensitive permissions only for a limited time and a specific task, then revokes them automatically.
Just-in-Time (JIT) access eliminates standing privileges by issuing them on-demand, typically through an approval workflow tied to a ticket, change request, or break-glass procedure. Users or workloads request elevation, the system enforces conditions (justification, MFA, peer approval), provisions the rights for a short, bounded window, then revokes them automatically. JIT pairs naturally with PAM, RBAC and zero-trust: it sharply reduces the attack surface from dormant admin accounts and credential theft because there is nothing valuable to steal between sessions. Modern implementations cover cloud roles, database access, SSH bastion sessions, and Active Directory group memberships.
● Examples
- 01
Azure PIM elevating a user to Global Administrator for one hour after MFA and approval.
- 02
A Teleport workflow that grants temporary kubectl admin in a production cluster.
● Frequently asked questions
What is Just-in-Time Access?
An access model that grants elevated or sensitive permissions only for a limited time and a specific task, then revokes them automatically. It belongs to the Identity & Access category of cybersecurity.
What does Just-in-Time Access mean?
An access model that grants elevated or sensitive permissions only for a limited time and a specific task, then revokes them automatically.
How do you defend against Just-in-Time Access?
Defences for Just-in-Time Access typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Just-in-Time Access?
Common alternative names include: JIT access, Just-in-time privilege.