Just-In-Time (JIT) privileged accounts provide an added layer of security by restricting access to critical resources only when necessary. CyberQP enables you to configure JIT accounts, ensuring that your organization can better manage and control privileged access. This article will guide you through the steps to enable JIT accounts in your CyberQP environment.
Prerequisites
- You need to have super or primary role permissions
- You must have an active QGuard subscription
Feature Enhancement - July 2024 - Create and edit Multiple Policies
You can now create, edit, and delete multiple policies for each directory source (Active Directory, Entra ID , and Local System Directories).
Before July 2024, CyberQP only allowed a single privilege to be selected and applied to the JIT account during creation. Now, we will apply all privileges set on the policy to the JIT account. If you want only one privilege to be used on the JIT policy, please select only one privilege. privilege.
All privileges will be removed when the JIT account expired with CyberQP, this now includes ANY other privileges that someone may have added after the JIT account was created on Active Directory, Entra ID or, Local System Directories.
Steps to Enable JIT Privileged Accounts:
-
Access the QGuard Settings Page
- Log in to your CyberQP account with super or primary role permissions.
- Navigate to the "Settings" page within the dashboard.
-
Enable JIT Accounts:
- On the "Settings" page, locate the "JIT Account Settings" section.
- Click on the "Enable" button to initiate the configuration process.
-
Configure Directory Sources:
- In the next step, you will need to select the directory sources for which you want to configure JIT accounts. You can choose from AD (Active Directory), Azure AD (Azure Active Directory), and Local.
-
Feature Enhancement Update - July 2024: You will now be able to create multiple policies using an already utilized directory source.
- In the next step, you will need to select the directory sources for which you want to configure JIT accounts. You can choose from AD (Active Directory), Azure AD (Azure Active Directory), and Local.
- Specify the Name and Description of your policy
Give your policy a name and description. This name will be seen and searchable by your technicians when they go to create or re-enable a JIT account. We suggest including the name of the technical task this policy can be used to achieve. (EG: “Backup Exchange Mailboxes”)
-
Define Access for Your Team
Determine who on your team should have access to JIT accounts. You have two options:Restrict access to super and primary roles only.
Select specific groups of technicians who can create and manage JIT accounts using the duration and privileges listed in the policy.
You may also create a separate policy to segment technicians with different privilege levels for the selected directory source.
NOTE: Primary and Super role login users will always have access. If restricted to specific login groups is chosen, the selected Login Groups will be in ADDITION to Super and Primary roles.
NOTE: The HelpDesk role can be added to a Login Group, however, helpdesk roles do not get access to JIT-privileged accounts. Only engineers, managers, and admins can access JIT accounts
NOTE: Selected technicians will only gain access to create JIT accounts for customers they have access to.
- Specify allowable JIT account durations:
- Specify the durations your technicians are allowed to use when creating or re-enabling a JIT account for the specific policy. (you may also later create a second policy if you want to restrict a second set to more or less “Durations”)
Make sure the CyberQP enterprise app on your Azure AD instance has assignments to either Global Administrator or both Privileged Authentication Administrator and Privileged Role Administrator(NEW) roles
- Specify the durations your technicians are allowed to use when creating or re-enabling a JIT account for the specific policy. (you may also later create a second policy if you want to restrict a second set to more or less “Durations”)
-
Select Privileged Security Groups/Roles:
- For each selected directory source, choose the privileged security groups/Role that you want to make available for your technicians to use for creating JIT accounts.
NOTE: Before July 2024, CyberQP only allowed a single privilege to be selected and applied to the JIT account during creation. Now, we will apply all privileges set on the policy to the JIT account. If you want only one privilege to be used on the JIT policy, please select only one privilege.
- For each selected directory source, choose the privileged security groups/Role that you want to make available for your technicians to use for creating JIT accounts.
-
Save Your Configuration:
- After defining the directory sources and access permissions, click the "Save" button to apply your JIT account settings.
- After defining the directory sources and access permissions, click the "Save" button to apply your JIT account settings.
8. If configuration changes are needed, you may edit each policy using the pencil icon, or delete and re-create the desired policy.
Use this to do things like:
- Update an existing policy to add or remove privileges and/or durations without disabling the JIT feature.
- Delete / Turn off a specific policy for a specific directory source.
- Create / Enable a specific policy for a directory source, should it not already be enabled.
Congratulations! You have successfully enabled JIT accounts in QGuard. The selected technicians will now have the ability to see the "Just-In-Time Accounts" menu within each customer and utilize JIT accounts as needed.
Next
Comments
1 comment
Multi-Policy JIT has been enabled. Please review the updated KB.
Please sign in to leave a comment.