Enable Just-in-Time elevation and provisioning

After deploying AD PAM in your environment, you can enable Just-in-Time elevation and provisioning to grant temporary privileged access on demand.

Just-in-Time elevation

  1. Add the permission to create user groups to your PAM domain provider account in AD.

  2. Identify the user groups in AD you would like to be available for Just-in-Time elevation.

  3. Edit your PAM domain provider.

  4. Select the JIT privilege elevation section on the left menu.

  5. Select the user group identified earlier.

  6. If you would like to limit the JIT access to specific accounts, click Enable Privilege Sets.

  7. Add a prefix to the group name, such as DVLS-JIT-.

  8. Select a location for the temporary groups to be created.

  9. If you have multiple DC, configure a Replication latency to make sure the JIT has time to replicate between all DCs.

  10. Save.

Just-in-Time provisioning

  1. Add the permission to create and delete users to your PAM domain provider account in AD.

  2. Edit your PAM domain provider.

  3. Open the JIT privilege elevation tab.

  4. Select the user group identified earlier.

  5. Select a location for the temporary users to be created.

  6. If you have multiple Domain controllers (DCs), configure Replication latency to give JIT changes enough time to replicate across all DCs.

  7. Click Save.

  8. In your PAM vault, add a new domain user.

  9. Enter the username for the account.

  10. Check the Just-In-Time (JIT) account check box.

  11. Click Save.

Devolutions Forum logo Donnez-nous vos commentaires