DocumentationAPI ReferenceRelease Notes
Documentation

Just-in-time (JIT) access management | EPM-WM Cloud

What is just-in-time access management?

Just-in-Time (JIT) access is a privileged access model in which elevated permissions are provided only when needed, for the minimum duration required, and are revoked automatically when the session ends or the time limit expires. This contrasts with traditional models in which users are permanently members of the local Administrators group on their workstations.

In BeyondTrust EPM for Windows and Mac, JIT access covers two distinct use cases:

  • JIT Application Access: Elevating the privileges of a specific application (such as an installer or configuration tool) without granting the user full administrator rights on the computer.
  • JIT Admin Access: Temporarily granting a user full local administrator rights on their endpoint for a defined period, subject to a request and approval workflow.

What is a use case for JIT access management?

An example use case is controlling application access for your general application rules, such as those matching Any Application or Any UAC Prompt.

In a policy, creating a JIT Application Request message type requires the users to add a reason for access. The approver reviews the request and can either approve (for a limited time period) or deny the access based on that information.

ℹ️

To manage JIT access requests, you need one of the following:

  • Administrator or Request Manager role
  • Manage Application Access Requests permission (application requests)
  • Manage Admin Access Requests permission (admin requests)

For more information, see User management.

JIT access management workflow

  1. Activate the user request service in Configuration.
Settings to configure JIT application access
  1. Create a policy with a message type JIT Application Request.
  2. Add the policy to a computer group.
  3. Set the permissions for the users that will manage approvals. Select custom permissions or use the Manage Request role.
  4. After the policy and ticket system are configured and ready for use, the administrator can review and approve the requests in EPM.

Updated 4 days ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.