In this article we will be answering some frequently asked questions regarding Just-In-Time.
Can anyone on my team create JIT-privileged accounts?
No, only user groups selected by the admins (super or primary role) from the JIT settings on the CyberQP dashboard will have access to create JIT accounts. Selected users will have access to create JIT accounts exclusively for the customers they have been authorized to access.
As an admin can I access all JIT accounts created by my team?
Only the account creator can access the JIT account passwords or enable JIT accounts.
Admins ( super and primary roles) can see all the JIT accounts created by their team via the dashboard and have the ability to delete any JIT account if needed. Admins also receive an email alert whenever any new JIT account is created.
Note: admins can not see the password of JIT accounts created by other users.
How long are JIT accounts enabled?
Users can choose the duration at the time of account creation or when re-enabling an existing JIT account. You can choose to have an account active for 1 Hour, 4 Hours, 1 Day, 3 days, 7 days, or 30 days. At expiry, the account is set to Disabled and the password is rotated.
Are JIT accounts deleted after each use and a new JIT account is created the next time user wants to use the privileged account?
No, we do not delete JIT accounts at the time of expiry. JIT accounts in CyberQP are disabled on Active Directory and passwords are rotated at expiry. The next time user wants to re-use the same JIT account they can enable the account for a limited time via the CyberQP desktop app.
Is the account removed from the privileged security group at expiry?
The JIT account is not removed from the privileged security group at expiry. The account is Disabled and the password is rotated. Users will need to re-enable the JIT account the next time they want to use it. We are evaluating providing an option in the future to also remove the account privileges at expiry.
Are JIT account passwords stored in ITGlue or Hudu?
No, the JIT account passwords are always stored in the Quickpass vault. Customers using ITGlue or Hudu will not be able to store the passwords in IT Glue or Hudu.
How will JIT accounts work with DUO MFA?
When setting up a JIT account, users have the option to choose a username. If this username is configured as an alias with DUO, then MFA will function seamlessly with JIT accounts. Alternatively, users can also configure DUO MFA with an existing JIT account, which will remain active even when the account is enabled/disabled. CyberQP does not create a new JIT account each time and only activates an existing JIT account for the user.
How many JIT accounts can one user create?
For Active Directory, one user can only create one JIT-privileged account on an AD domain. This privileged account should work on all AD-joined machines.
Can I delete a JIT account once created?
Currently, it is not possible to delete a JIT account via the desktop app. We plan to enable this in the future. We plan to allow admins to delete any JIT account from the dashboard in the next release planned for May.
Please sign in to leave a comment.