Documentation

Manage access with just-in-time permissions

Entitle logo A workflow for Entitle

Scope of this guide

Most organizations have a permissions problem they can't fully see. Access accumulates: a developer who needed production database access for one afternoon still has it six months later, a contractor who finished in Q2 is still active in three SaaS tools, a new hire was given a broad access bundle because it was easier than figuring out exactly what they needed. None of this shows up as a breach. It just accumulates, quietly, until a threat actor finds the unlocked door you forgot you left open.

This workflow guides you through connecting Entitle to your environment, defining how access requests are approved, establishing baseline access for your workforce, enabling just-in-time (JIT) access to replace standing privileges, and reviewing and revoking the permissions that should never have been permanent.

Prerequisites

  • BeyondTrust Entitle is licensed and configured.
  • You have an Entitle account with the Administrator role.
  • At least one identity provider (Okta, Entra ID, Google Workspace, JumpCloud, OneLogin, or Active Directory) is available to connect.
  • You have API credentials or admin access for each cloud or SaaS application you plan to connect.
  • You know which resources and roles in your environment carry the highest privilege risk.

Why is this important

Standing access — permissions that exist permanently, whether or not they are being used — is one of the most exploited attack vectors in modern breaches. A dormant admin account, an unused write permission, a contractor's access that was never revoked: all of these are open doors. Entitle addresses not just who should have access, but who does — and whether any of it should be revoked, scoped down, or replaced with time-limited access that expires the moment it's no longer needed. This workflow shows you how to make that shift systematically.

Workflow summary

StepAction
1Connect your identity provider and integrations
2Define approval workflows
3Set up birthright policies for baseline access
4Enable JIT access for elevated and sensitive permissions
5Review and audit permissions

Steps

Step 1: Connect your identity provider and integrations

Entitle can govern only access it can see. Connecting your identity provider establishes the foundation: it's where your user identities live. Connecting your cloud and SaaS integrations gives Entitle the full picture of what those identities can actually do.

  1. Sign in to app.beyondtrust.io with your credentials. The BeyondTrust Pathfinder Home displays.
  2. At the top right of the page, select your site from the drop-down.
  3. Select the Entitle tile.
  4. From the top left menu, select Integrations, resources, roles.
  5. Select Add integration and follow the configuration steps for your identity provider. This establishes the directory of users and groups that Entitle uses as the basis for all access decisions.
  6. Repeat for each cloud or SaaS application you want Entitle to govern. For each integration, Entitle discovers the available resources and roles within that application.
  7. Select any integration to review its discovered resources. Confirm that users, resources, and roles appear as expected before continuing.

Step 2: Define approval workflows

Without a governed approval process, access requests are handled inconsistently — a Slack message here, a ticket there, a manager who says yes without understanding the scope. Approval workflows in Entitle replace that with a defined, auditable process: who approves, under what conditions, and how long access lasts.

  1. From the top left menu, select Approval workflows.
  2. Select New approval workflow and give it a name that reflects its scope (for example, "Production environment access" or "Sensitive data — manager approval required").
  3. Define the conditions for your first rule. Conditions can be based on the requesting user's group membership, the duration of the requested access, or on-call schedule membership.
  4. Define the approval steps. Assign approvers using abstract types where possible — direct manager, resource owner, or an IdP group — rather than named individuals. This keeps the workflow scalable as your organization changes.
  5. Set a maximum access duration. Access granted through Entitle is temporary by default; this value is the ceiling for any individual request.
  6. Add additional rules to cover different scenarios within the same workflow. Rules evaluate top to bottom — order them from most specific to least specific.
  7. Select Save approval workflow.
  8. From the Integrations, resources, roles page, assign the workflow to the relevant integrations, resources, or roles. A workflow that is not assigned to anything has no effect.

Step 3: Set up birthright policies for baseline access

Some access is genuinely universal. Every engineer needs read access to the code repository, every sales team member needs access to the CRM. Birthright policies define the access a user receives automatically based on who they are. The result is consistent baseline access from day one, with no manual provisioning step.

  1. From the top left menu, select Birthright policies.
  2. Select New birthright policy and give it a name that identifies the group it applies to (for example, "Engineering — baseline access" or "Sales team — CRM read access").
  3. Define the policy scope: select the group or groups of users the policy applies to. Entitle automatically grants the defined access to any user in the selected group.
  4. Select the resources and roles to include. Keep birthright access scoped to what every member of the group genuinely needs. Anything beyond the true baseline should go through a JIT request instead.
  5. Select Save policy. Entitle applies the policy on the next sync and provisions access for all current and future members of the group.
  6. Review existing birthright policies periodically. A policy that was accurate at deployment can become a source of over-provisioning if job functions change and the policy is never updated.
ℹ️

Birthright policies are evaluated and applied once daily. However, the following changes take effect immediately: creating, editing, or deleting a policy; reordering policies; changes to on-call groups; and changes to IdP groups.

Step 4: Enable JIT access for elevated and sensitive permissions

JIT access in Entitle works through the access request process. Users request access to a resource and role, the request is evaluated by the relevant approval workflow, and if approved, access is granted for the defined duration and then automatically revoked.

  1. Identify the resources and roles that represent the highest-risk standing permissions: production systems, sensitive data stores, administrative roles, and anything with write or delete capabilities.
  2. From the Integrations page, select the relevant resource and review its current role assignments.
  3. For each role that should not be held permanently, confirm it is governed by an approval workflow (from Step 2) with an appropriate maximum duration. Remove standing access for users who hold these roles permanently and direct them to use the JIT request process instead.
  4. Configure the access request experience for your users. Entitle supports requests through the Entitle web app, Slack, and Microsoft Teams. Meet users where they already work.
  5. Communicate the change to affected users. Explain that access to sensitive resources now requires a brief approval step, that access is time-limited, and where to submit a request.
  6. Monitor early JIT requests to confirm that workflows are routing correctly and that approval times are acceptable. Adjust workflow rules or approver assignments if requests are being delayed or routed incorrectly.

Step 5: Review and audit permissions

Even with JIT access and approval workflows in place, permissions accumulate. Users gain access through birthright policies, through JIT requests that were approved but never re-evaluated, and through external grants made directly in the source application. The permissions table gives you a live, unified view of every permission in your environment: who holds what, through which path, and whether any of it looks wrong.

  1. From the top left menu, select Permissions. The permissions graph displays, showing users, accounts, integrations, resources, and roles across all connected applications.
  2. Use the filters to focus on the highest-risk areas first. Start with your most sensitive integrations or most privileged roles.
  3. Review the graph for permission paths that look unexpected: users with access they don't need, accounts with no identifiable user, or indirect access chains that grant more than intended.
  4. Select Table view to search and sort permissions by user, account, integration, resource type, role, or expiration date. Use the Expiration: Never filter to surface permissions with no end date: these are your standing access candidates.
  5. For permissions that should be revoked, select the relevant rows and select Revoke selected. Review the impact summary carefully before confirming. Revoking a permission from a shared account affects all users of that account.
  6. For permissions granted through a birthright policy, revocation is temporary: Entitle reassigns the permission on the next sync. If the policy itself needs to change, update it in Birthright policies.
  7. Schedule a recurring access review cadence using the Access review feature. Assign reviewers to specific resources and track review completion to create an auditable record of your least-privilege posture over time.

Verify the results

Confirm that your integrations show discovered resources and roles, that at least one approval workflow is assigned to a resource, and that access requests submitted through the Entitle app, Slack, or Teams route to the correct approvers. After your first JIT access grant expires, verify that access was automatically revoked in the source application.

Next steps

  • Access review — Set up scheduled reviews to keep permissions clean over time.
  • Audit log — Review a record of all access requests, approvals, and access changes in your environment.

Related resources

Take it further with Identity Security Insights

If your organization also uses Identity Security Insights, risk and sensitivity indicators appear directly in the Entitle permissions graph, surfacing which users carry elevated risk scores based on their behavior and entitlement profile. This lets you prioritize which permissions to investigate first, rather than manually working through every overprivileged account. See Risk and sensitivity indicators for setup and usage.

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.