Skip to main content

How to create and use Just-In-Time Privileged accounts

Robby Singh
  • Updated

Introduction

Just-in-time (JIT) accounts are a feature that temporarily enables a privileged account. With JIT accounts, you can be assured that they will be automatically disabled and their passwords rotated upon expiry, making them highly secure. Each JIT account is created for an individual, which creates an audit log that can be easily tracked to that person. This also helps ensure compliance by avoiding shared credentials and maintaining the principle of no standing privileges.

In this article, we'll walk you through the steps of setting up and using JIT accounts.

 

Step 1: Enable JIT access for your account

Prerequisites


You'll need to be in a Super or Primary role to enable JIT access for your company

 

Process

  1. Go to your account Settings from the main page of the Dashboard
  2. Scroll down to find the new 'Just-in-time Accounts Access' settings.
  3. Click on 'Enable' to turn on JIT account access for your account.
  4. Select the account type as Active Directory (currently only Active Directory is available).
  5. Choose the privileged security groups that will be allowed for all future created JIT accounts by searching for or scrolling through the list and filling the radio button(s).
  6. Select access to define who on your team should have access to create JIT accounts (you can restrict to Primary, Super, and Manager roles only, or select Login Groups who will have access to create and use JIT accounts).  

    NOTE:     Primary, Super, and Manager roles will always have access.  The selected Login Groups will be in ADDITION to those 3 roles.

  7. Hit save to enable JIT accounts for your account.  The Just-in-Time Accounts section will update to show the selected options from the previous screen.


    1. In order to change these configurations you would need to Disable the current configuration and then re-enable it again with the new options you wish to select.

Step 2: Create JIT account from desktop app

Prerequisites

You'll need to have the Quickpass Desktop app installed on your computer
Please follow the instructions in this article on how to install the desktop app
https://support.getquickpass.com/hc/en-us/articles/10792022794647

 

Process

  1. Open the Quickpass Desktop app and login using the same credentials used to log into the Quickpass Dashboard.
  2. Select the customer for which you want to create a JIT account.
  3. Click on 'Just-in-time Accounts' on the side nav. (Only logins who have access to JIT accounts will see this option.)
  4. Click the 'Create JIT account' button to create a new JIT account.
  5. On the JIT account creation form, you can set up the account configuration, including:
    1. Account Information

      1. This includes the name of the account (if you don't like the default you can modify the value that it will use (this will be the name of the JIT account for that Technician/Login Role and it cannot be changed once created)).

        NOTE: There is a known bug if the username value is longer than 20 characters (including the _jit) so please ensure the value you have there is less than 16 characters.

      2. Duration should be set to the lowest amount that is technically practical.  If the account is needed for longer than this period, the account can be Enabled/Activated again.
      3. Reason for Creating - this is a mandatory field to advise the reason for creation of the account.
    2. Administrator Account Type
      1. Currently only Active Directory is available but the other options shown here will be available as the product is expanded.
    3. Select Privilege

      1. Select from the list of Active Directory Groups that were originally selected by the Primary/Super at the time of JIT being enabled.
  6. Hit 'Create' to create the JIT account on the Active Directory domain for this customer.
    You can now use this JIT account for the specified duration.

Step 3: Re-enabling a previously used JIT Account

  1. After logging into the Desktop App, selecting the Customer and the Just in Time Accounts section any previously created JIT account for this Login for this customer will be displayed.

    1. The status will show the current status of the JIT Account.  If this shows Disabled, this means that the previous usage time of the account have expired.  This account will need to be "re-enabled" in order to use this moving forward.
  2. To Activate/Re-enable the previously created JIT account select the 3 dot menu beside the account.

    1. Selecting the Enable Account will show you this screen.
    2. You must fill in the the Reasons for Enabling and select a duration that is appropriate and then click Enable.
    3. The JIT Accounts list will update once the account has been Enabled again.

 

More information:

Answering Just-In-Time FAQ – CyberQP (getquickpass.com)

Related articles

Comments

0 comments

Please sign in to leave a comment.