# Just-In-Time Workflow

## Overview

KeeperPAM Workflow enforces just-in-time access for privileged resources. It reduces standing privilege and supports zero standing privilege across target infrastructure.

Workflow controls approvals, access windows, and check-in and check-out for protected resources in the Keeper Vault. It is available for any privileged resource protected in the Keeper Vault.

<figure><img src="/files/Wnv8m20KMOIqjHdTxN9T" alt=""><figcaption></figcaption></figure>

## Key Features

* **Multi-Level Approvals** — Require sign-off from multiple approvers or delegate approval authority as needed.
* **Single-User Mode (Check-in / Check-out)** — Restricts access to one user at a time. Users check out the resource before use and check it back in when finished. Access is automatically revoked when the time limit expires.
* **MFA Requirement** — Requires users to complete multi-factor authentication before access is granted.
* **Access Time Limits** — Grants access for a defined duration and automatically revokes it when the time window expires.
* **Real-Time Notifications** — Notifies approvers instantly across all Keeper clients, including desktop, web, and mobile.

{% hint style="info" %}
Learn more about [KeeperPAM Just-In-Time Workflow](/keeperpam/privileged-access-manager/just-in-time-access-jit/workflow.md)
{% endhint %}

## Getting Started

Before you begin:

* Use an active KeeperPAM trial or subscription
* Enable the **Workflow** role enforcement policy in the Admin Console

## Role Enforcement Policy

To let users configure Workflow on PAM record types, enable **Can manage workflow settings** under **Admin Console → Roles → Enforcement Policies → Privileged Access Manager**:

<figure><img src="/files/WNwUauMK663GUhcPGHbw" alt=""><figcaption><p>KeeperPAM Workflow Enforcement Policy</p></figcaption></figure>

You can also enable the policy with the [Keeper Commander CLI](/keeperpam/commander-cli/overview.md):

```
enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_WORKFLOW_SETTINGS":true
```

## Configure Workflow

Users with **Can manage workflow settings** can configure Workflow on PAM records.

To configure Workflow:

1. Open a PAM machine, database, directory, or browser record.
2. In **PAM Settings**, click **Edit**.
3. Open the **Workflow** section in the dialog.

<figure><img src="/files/VBG5GTERnPD5DcWD1sOC" alt=""><figcaption><p>Setting for Workflow</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/enterprise-guide/keeperpam-privileged-access-manager/just-in-time-workflow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.