# Just-In-Time Access (JIT)

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FB5kDk5IAVTfFolQv0SHB%2FJust-in-time%20access.jpg?alt=media&#x26;token=a90e3139-f25c-496d-b9de-8f8fa64bd644" alt=""><figcaption></figcaption></figure>

## Just-In-Time Access and Zero Standing Privilege

KeeperPAM provides comprehensive Just-In-Time (JIT) access capabilities to help organizations achieve zero standing privilege (ZSP) across their entire IT infrastructure and endpoints. Rather than maintaining persistent privileged access, JIT ensures that users receive elevated permissions only when needed, for a defined duration, and with appropriate approvals — enforcing the principle of least privilege while keeping all privileged activity fully auditable.

By eliminating standing access, organizations significantly reduce their attack surface by ensuring that privileged access is only granted when needed, for the duration required, and with appropriate approvals.

#### **Understanding JIT and ZSP**

**Just-In-Time (JIT) Access**: Provides users with privileged access only at the moment they need it, for a limited time period, and often with approval workflows.

**Zero Standing Privilege (ZSP)**: A security approach where users have no permanent privileged access to systems, eliminating the risk associated with compromised privileged accounts.

#### Why Enforce JIT?&#x20;

Traditional privileged access models grant users persistent credentials that remain active whether or not they're being used. These standing privileges create unnecessary risk — if credentials are compromised, attackers gain immediate access without any additional checks.

JIT access eliminates this risk by ensuring privileged access is:

* **Temporary** — Access is granted only for the duration needed and automatically revoked afterward
* **Approved** — Requests go through defined approval workflows before access is granted
* **Scoped** — Users receive only the minimum permissions required for the task
* **Auditable** — Every access request, approval, and session is logged for compliance and forensic review

This approach reduces the attack surface, limits the blast radius of compromised accounts, and ensures that privileged access is only granted when needed, for the duration required, and with appropriate approvals.

## Just-In-Time Features

* [Time-Limited Access](https://app.gitbook.com/s/-LO5CAzpxoaEquZJBpYz/sharing/time-limited-access)
* [Password Rotation](https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation)
* [**Workflow**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit/workflow)
  * **Multi-Level Approvals** — Approval workflows can require sign-off from multiple approvers or delegated approval authority
  * **Single-User Mode (Check-in / Check-out)** — Only one user can access the resource at a time. Users must check out the resource before use and check it back in when finished. If not returned manually, access is automatically revoked when the time limit is reached.
  * **MFA Requirement** — Users must complete multi-factor authentication before access is granted.
  * **Access Time Limits** — Access is granted for a defined duration and automatically revoked when the time window expires.
  * **Real-Time Notifications** — Approvers receive notifications across all Keeper clients, including desktop, web, and mobile.
* [**Ephemeral Accounts & Privilege Elevation**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit/ephemeral-accounts-and-privilege-elevation)
  * **Ephemeral Accounts** — Temporary accounts are created when access is approved and automatically deleted when the session expires.
  * **Privilege Elevation** — Users are temporarily assigned elevated permissions such as group or role membership, which are removed when the session expires.
* [**Automated Credential Rotation**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit/time-limited-access-with-automated-credential-rotation) — When access expires, credentials are automatically rotated to ensure they cannot be reused. All credential changes are recorded in the audit trail.
* [**Just-in-Time Elevated Access on Endpoints**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit/elevated-access-on-endpoints) using PEDM

## Getting Started

KeeperPAM's comprehensive JIT and ZSP capabilities provide organizations with the tools needed to significantly reduce their privileged access attack surface. By implementing these capabilities across your infrastructure, you can ensure that privileged access is strictly controlled, properly approved, and thoroughly audited.

To configure JIT access, visit the following pages:

* [Workflows](https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit/workflow)
* [Ephemeral Accounts and Privilege Elevation](#ephemeral-account-creation)
* [Time-Limited Access & Automated Credential Rotation](https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit/time-limited-access-with-automated-credential-rotation)
* [Just-in-Time Elevated Access on Endpoints using PEDM](https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit/elevated-access-on-endpoints)

#### Implementation Best Practices <a href="#implementation-best-practices" id="implementation-best-practices"></a>

When implementing JIT access and ZSP with KeeperPAM:

1. **Start with critical systems**: Begin your implementation with your most sensitive systems and infrastructure
2. **Define clear policies**: Establish clear guidelines for when JIT access is required and who can approve it
3. **Educate users**: Ensure users understand how to request elevated access when needed
4. **Monitor and adjust**: Regularly review logs and adjust policies based on actual usage patterns
5. **Plan for emergencies**: Establish break-glass procedures for critical situations where normal approval workflows may be too slow

### Conclusion

KeeperPAM's comprehensive JIT and ZSP capabilities provide organizations with the tools needed to significantly reduce their privileged access attack surface. By implementing these capabilities across your infrastructure, you can ensure that privileged access is strictly controlled, properly approved, and thoroughly audited.

For more information on specific JIT use cases or implementation guidance, contact your Keeper Security account manager or email <pam@keepersecurity.com>.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.