v24r2Configure Computers for Just-In-Time Access

Owned by Phillip Hanegan
May 10, 2024
2 min read

EmpowerID allows for the configuration of Just-In-Time (JIT) account provisioning on computers for specific groups. This feature automatically generates a user account, uniquely identified by combining the user's EmpowerID login with a random string (e.g., jposada_566054625600), and assigns it to the appropriate group at the onset of a PSM session. Upon the session's conclusion, the account is promptly removed from the group. Depending on the specific JIT access settings, this account may either be retained for future use or completely deleted from the system. This JIT strategy reinforces a zero-trust, least-privilege environment, ensuring that access is provided strictly as needed and withdrawn immediately afterward.

Procedure

  1. Navigate to the View One page for the computer to which you want to enable Just-in-Time Access.

    The quickest way to do this is to use the Global Search located at the top of each page.
    Show Me

    Using Global Search

     

  2. On the computer’s View page, click the Display Name link to put the computer in Edit mode.

     

  3. Navigate to the Just-in-Time Access section, configure the settings according to your policy, and save your changes.

     

Setting

Description

Setting

Description

Enable Just in Time Account Provisioning

Enabling JIT account provisioning on a computer allows for the creation of a unique account that combines the user's EmpowerID login with a random string (for example, jposada_566054625600). Without JIT account provisioning, if a user does not have an existing account on the computer with the necessary permissions, they will be unable to access the computer with the requested permissions.

Delete JIT-Created Account on Check-In

If selected, EmpowerID deletes the user account provisioned for the user when their session ends.

Use Existing Account if Applicable

If selected (and Delete JIT-Created Account on Check-In) is not selected, EmpowerID uses an existing account that has been previously provisioned for the user for subsequent sessions on the computer.

Just In Time Admin Group

Specifies the group on the computer that JIT accounts are added to as members.