Just-In-Time Access (JIT)

Just-In-Time access and zero standing privilege

Just-In-Time access gives users elevated access only when they need it.

Zero standing privilege removes always-on privileged access from users and systems.

KeeperPAM combines approvals, temporary access, temporary identities, privilege elevation, and automatic cleanup across infrastructure and endpoints.

Why use JIT

Standing privilege increases risk.

If a privileged account is compromised, an attacker can use it immediately.

JIT reduces that risk by making access:

• Temporary — Access expires automatically.

• Approved — Requests follow a defined workflow.

• Scoped — Users get only the access they need.

• Auditable — Every request, approval, launch, and cleanup event is recorded.

How JIT works in KeeperPAM

1. Share a PAM resource with eligible users.

2. Optionally configure Workflow for requiring approvals, MFA, schedules, and checkout rules.

3. Choose how privilege is granted for the resource.

4. Launch the session or application during the approved window.

5. Remove access, delete temporary accounts, or rotate credentials when the window ends.

Four JIT access models

KeeperPAM supports four different JIT models.

Choose the model based on how access is granted and where privilege is applied.

• Keeper Privileged Cloud — Elevate the user through the identity provider. Use this when access is governed by AWS IAM, Azure Entra ID, GCP identity, Okta, Active Directory, or another federated identity layer. This model works across cloud accounts and with PAM Machine or PAM Database records that authenticate through the identity provider.

• Direct Ephemeral Accounts and Privilege Elevation — Change privilege directly on the target resource for privileged sessions. Use this when KeeperPAM must create a temporary account on the machine, directory, or database, or temporarily add an account to a local group, directory group, or database role.

• Time-Limited Access with Automated Credential Rotation — Grant temporary access to an existing credential for a defined time window. Use this when a user needs expiring access to a shared account and the credential must be rotated automatically when access ends.

• Elevated Access on Endpoints — Elevate actions locally on the endpoint through the Keeper Agent with Endpoint Privilege Manager. Use this when users need approved, time-bound elevation for specific applications, processes, or tasks on their own device.

Pages in this section

Use the pages below together.

Each one covers a different part of the JIT model.

• Workflow — Control who can request access, who approves it, whether MFA is required, when access is allowed, and whether only one user can hold the resource at a time.

• Keeper Privileged Cloud — Use the identity provider to grant temporary elevation across cloud platforms, federated applications, and PAM Machine or PAM Database resources that authenticate through that identity provider.

• Direct Ephemeral Accounts and Privilege Elevation — Create temporary accounts on the target resource, or temporarily add an account to a group or role directly on the machine, directory, or database.

• Time-Limited Access with Automated Credential Rotation — Grant expiring access to shared credentials and rotate them automatically when access ends.

• Elevated Access on Endpoints — Apply JIT elevation to user devices and endpoint processes with Keeper Privilege Manager.

Choose the right JIT model

Start with the model that matches your access pattern.

• Need approvals, schedules, MFA, or check-out rules? Start with Workflow.

• Need elevation through AWS IAM, Azure Entra ID, GCP identity, Okta, Active Directory, or another federated identity provider? Use Keeper Privileged Cloud.

• Need session-only accounts or temporary role membership directly on the target machine, directory, or database? Use Direct Ephemeral Accounts and Privilege Elevation.

• Need temporary access to an existing shared credential? Use Time-Limited Access with Automated Credential Rotation.

• Need process-level elevation on endpoints? Use Elevated Access on Endpoints.

Recommended rollout

1. Start with Workflow to define approvals, access windows, and MFA.

2. Choose the privilege model for each resource:

   • Use Keeper Privileged Cloud when elevation should happen through the identity provider.

   • Use Direct Ephemeral Accounts and Privilege Elevation when privilege should be created or changed directly on the target resource.

3. Add Time-Limited Access with Automated Credential Rotation where shared credentials still exist.

4. Extend the same model to user devices with Elevated Access on Endpoints.

Related capabilities

JIT access often works with other KeeperPAM features:

• Connections for launching remote sessions from the Vault.

• Password Rotation for scheduled or on-demand credential changes.

Implementation best practices

1. Start with high-value systems first.

2. Keep approval rules simple at the start.

3. Use temporary identities where possible.

4. Rotate any shared credential after the access window ends.

5. Review audit events and adjust policy over time.