Just-In-Time (JIT) Privilege Elevation
In today's dynamic IT environments, security and access control are paramount. As organizations strive to protect sensitive data and systems from unauthorized access, the challenge of managing privileged access becomes increasingly complex. Traditional methods of granting permanent elevated access to users can expose systems to potential risks and vulnerabilities.
To address these challenges, PAM360 offers the Just-in-Time (JIT) privilege elevation mechanism. This feature allows administrators to provide elevated access for users temporarily, enabling them to perform necessary privileged tasks within a specified timeframe. By providing time-bound and task-specific access, JIT privilege elevation ensures that elevated permissions are granted only when needed, significantly enhancing security and reducing the risk of unauthorized access.
This help document discusses JIT privilege elevation in detail and outlines the steps required to configure and implement it.
- How does JIT Privilege Elevation Work? - A Gist
- Benefits
- Roles Required in PAM360 for JIT Management
- Configuration Steps
Note: JIT privilege elevation is only applicable for Windows and Windows Domain resources. For Linux resources, refer to other Privilege Elevation and Delegation Modules such as SSH Command Control and Self Service Privilege Elevation available in PAM360.
1. How does JIT Privilege Elevation Work? - A Gist
Authorized users with the appropriate privileges can configure JIT elevation for a resource, whether it is a Windows or a Windows Domain machine, by selecting the necessary local or security groups for privilege elevation. Once the resource is shared with the users, the standard configured access control workflow falls into place. Upon receiving approval from an authorized administrator, users can check out the password for access, resulting in their privileges being elevated to the level of the local or security groups specified during the privilege elevation configuration. This grants the user elevated access to the resources configured with privilege elevation for a defined period, as determined by the administrator within the Access Control Workflow.
2. Benefits
The JIT privilege elevation feature is essential when a local account lacks the necessary privileges to use certain applications or services. With this feature, administrators can grant timely and controlled access to privileged resources, enabling user accounts with lower privileges to run privileged applications or services for a specific timeframe. By implementing this approach, administrators can precisely control who can access what and for how long, eliminating the need for providing blanket access to privileged resources for all the user accounts.
3. Roles Required in PAM360 for JIT Management
Only user roles with certain privileges can configure JIT privilege elevation for a resource/account in PAM360.
- By default, user accounts with Privileged Administrator, Administrator, and Password Administrator roles can configure the JIT privilege elevation.
- Apart from these predefined roles, you can also create a Custom Role with the relevant Resource, Account, and Access Control privileges for JIT configuration.
4. Configuration Steps
Note: Ensure that before configuring privilege elevation for a Windows or Windows domain resource through PAM360, remote password reset is configured for the selected resource, as PAM360 will use the account configured in the remote password reset configuration to perform the privilege elevation of local/domain accounts.
4.1. Configuring JIT Privilege Elevation
(Procedure valid from build 7200 onwards)
Follow the steps detailed below to configure JIT privilege elevation for the desired Windows/Windows Domain resources:
- Navigate to the Resources tab of your PAM360 account, click the Resource Actions icon beside the desired Windows/Windows Domain resource, and select Configure >> Access Control.
- In the Configure Access Control Window, switch to the Privilege Elevation tab and enable the checkbox Elevate account privileges by adding it to the following local/security groups.
- Click Select to view all available local/security groups for the Windows/Windows Domain resource. The available groups will be displayed in the Select Local/Security Group window. Choose the required groups and click Save. The selected group(s) will be listed in the Selected Local/Security Groups field.
- Click Save & Activate to successfully configure JIT privilege elevation for the selected resource.
Note: If you have an active ManageEngine ADManager Plus (ADMP) integration, you can continue using it to configure JIT privilege elevation for Windows Domain resources. Otherwise, you can continue configuring JIT privilege elevation for Windows Domain resources in PAM360 using the above-mentioned procedure.
4.2. JIT Privilege Elevation Configuration
(Procedure valid till Build 7100)
Note: To configure privilege elevation for Windows Domain resources an integration with ManageEngine ADManager Plus is required to fetch the security groups. Click here for more details on the integration.
- Navigate to the Resources tab of your PAM360 account, click the Resource Actions icon beside the desired Windows resource, and select Configure Access Control.
- In the Configure Access Control window, switch to the Privilege Elevation tab and enable the Elevate account privilege by adding into the below local groups checkbox.
- Click Select, and all the available local groups in the Windows resource will be fetched and displayed in the Select Local Group window. Choose the required groups and click Save. The selected groups will be listed in the Selected Local Groups field.
- Once you have configured the necessary options, click Save & Activate.
Notes:
- Privilege elevation occurs only at the time of password check-out. PAM360 will add the local/domain account to the selected local/security group(s) only when the password of the privileged local/domain account is checked out from the PAM360 repository.
- If privilege elevation fails for an account when PAM360 attempts to add it to the selected group(s), check audit logs for details on the reasons for failure.
- Privilege elevation is not applicable for resource owners and users excluded from the access control workflow.