Configure Computers for Just-In-Time Access

Owned by Phillip Hanegan
Last updated: Dec 04, 2024
2 min read

EmpowerID allows for the configuration of Just-In-Time (JIT) account provisioning on computers for specific groups. This feature automatically generates a user account, uniquely identified by combining the user's EmpowerID login with a random string (e.g., jposada_566054625600), and assigns it to the appropriate group at the onset of a PSM session. The account is promptly removed from the group upon the session's conclusion. Depending on the specific JIT access settings, this account may either be retained for future use or completely deleted from the system. This JIT strategy reinforces a zero-trust, least-privilege environment, ensuring that access is provided strictly as needed and withdrawn immediately afterward.

Procedure

  1. Navigate to the View One page for the computer you want to enable Just-in-Time Access.

    The quickest way to do this is to use the Global Search at the top of each page.

    Using Global Search

     

  2. Click the Display Name link on the computer’s View page to put the computer in Edit mode.

     

  3. Navigate to the Just-in-Time Access section, configure the settings according to your policy, and save your changes.

     

Setting

Description

Setting

Description

Enable Just in Time Account Provisioning

Enabling JIT account provisioning on a computer allows for the creation of a unique account that combines the user's EmpowerID login with a random string (for example, jposada_566054625600). Without JIT account provisioning, if a user does not have an existing account on the computer with the necessary permissions, they will be unable to access the computer with the requested permissions.

Delete JIT-Created Account on Check-In

If selected, EmpowerID deletes the user account provisioned for the user when their session ends.

Use Existing Account if Applicable

If selected (and Delete JIT-Created Account on Check-In) is not selected, EmpowerID uses an existing account that has been previously provisioned for the user for subsequent sessions on the computer.

Just In Time Admin Group

Specifies the group on the computer that JIT accounts are added to as members.