DocumentationAPI ReferenceRelease Notes
Log In
Documentation

JIT Access Management

Suggest Edits

What is just-in-time access management?

Just-in-time ( JIT) access management is a ticket system that provides a way for you to manage user requests that require an approval from an administrator.

What is a use case for JIT access management?

An example use case is controlling application access for your general application rules, such as those matching Any Application or Any UAC Prompt.

In a policy, creating a JIT Application Request message type requires the users to add a reason for access. The approver reviews the request and can either approve (for a limited time period) or deny the access based on that information.

JIT access management workflow

  1. Activate the user request service in Configuration.
  2. Create a policy with a message type JIT Application Request.
  3. Add the policy to a computer group.
  4. Set the permissions for the users that will manage approvals. Select custom permissions or use the Manage Request role.
  5. After the policy and ticket system are configured and ready for use, the administrator can review and approve the requests in EPM.

JIT Access Management page

Use the JIT Access Management page to view user requests if you are using the ticket system.

  1. Administration menu: Access Pathfinder administration pages if you are assigned as an administrator.
  2. Header: Enter keywords to run a global search across computer groups, policies, computers, and users, view your notifications, change your site language, change your time zone.
  1. Filters: Click the drop arrow to select a filter type. The selected filter displays to the left of the drop-down.

  • Clear Filters: Click to remove all filters and search results

  • Decision filters
    • Approved: Filter by requests approved.
    • Denied: Filter by requests denied.
    • Pending: Filter by requests in a pending state.
  1. List options: Click to refresh the list, Download icon in [%=Products.PMAb%] SaaS. to download the list to a .csv file, and to select which columns to display on the page.
  2. Ticket list columns: Not all columns display in the image above.
  • Column names
    • Ticket Number: The ticket number.
    • Ticket Type: or ServiceNow.
    • Decision: The decision on the request, approved or denied.
    • Product Name: The name of the application the user wants to access.
    • Reputation Score: The reputation score.
    • User: The user requesting access.
    • Computer Name: The computer where the request was initiated.
    • Reason: The reason provided by the user.
    • Requested on: The date the user submitted the request.
    • Decision Performed By: The user who managed the request.
    • File Path Object ID: The location of the application.
    • Publisher: The publisher on the application.
    • Application Type: The type of application
    • Product Version: The version of the application.
    • File version: The file version of the application.
    • Message: The message defined in the policy.
    • Product Description: A description of the application, if available.
    • COM Display Name: The COM name used by the application.
  1. List navigation options: Navigate in the JIT Access Management list.

Manage JIT Admin access requests

Approve or deny JIT Admin access requests on the JIT Access Management page.

Managing JIT Admin access requests requires special permissions. Assign the following permissions when creating the user account or assign the Admin role:

  • AdminAccessRequestApprover
  • AdminAccessRequestViewer

📘

For more information about JIT admin access, see JIT Admin access settings.

To access JIT Admin access:

  1. From the top left of the page, click Menu button > Endpoint Privilege Management for Windows and Mac > JIT Access Management. The Just-in-Time (JIT) Access Management page displays.
  2. Select the Admin Access Requests tab.
  3. Review the requests.
  4. Click for a request to access the approve and deny options.

Set a request already approved to deny if the session is no longer required or approved in error.

Manage requests on the endpoint app

On the endpoint app:

  • Users can request a session duration between 5 minutes and 24 hours. The approver sets the session duration during the approval process.
  • Users can have only one request open at a time.
  • Notifications are issued when 5 minutes and 1 minute remain in the session. The user is logged off the session when the time expires.
  • Users can select End Session to close the session before the allocated session time passes.

View ticket details

Review the request details before deciding to approve or deny the request. The details include information about the policy and application information.

To view details and approve the request:

  1. From the top left of the page, click Menu button > Endpoint Privilege Management for Windows and Mac > JIT Access Management. The Just-in-Time (JIT) Access Management page displays.
  2. Find the request in the list.
  3. Click > View Details.
  4. Add information about your decision in the Notes section.
  5. Select approve or deny.

Approve user requests

In the user request workflow, you can restrict access to application requests. On an approved request, EPM SaaS users with the Manage Request role can set a duration in the ticket. The duration is the length of time the user can use the application before the approval automatically expires.

Access time limit can be one of the following:

  • Once: Permits access to the application only one time.
  • Hour: Enter the number of hours the user will be permitted access, between 1 and 24.
  • Day: Enter a day between 1 and 31.
  • Month: Enter a month between 1 and 12.

After the time expires, the user can no longer access that application. The user must go through the request workflow again, with the EPM SaaS users with the Manage Request role approving and selecting a duration time for access.

Permissions must be assigned to users managing user requests.

To approve a user request:

  1. From the top left of the page, click Menu button > Endpoint Privilege Management for Windows and Mac > JIT Access Management. The Just-in-Time (JIT) Access Management page displays.
  2. Find the request in the list.
  3. Click > Approve Request.
  4. Select a duration.
  5. Select Approve Request.
  6. Provide information for the reason of your decision.

Updated 24 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.