Just-In-Time (JIT) Access
JIT access refers to granting users or systems temporary access to resources only when needed, for a limited time, and with minimal permissions necessary to complete a task. This access expires automatically, reducing the risk of unauthorized actions or lingering elevated permissions.
Key Features:
- Temporary Access: Permissions are provided only for a defined duration.
- Least Privilege: Users are granted only the permissions required to perform a specific task.
- Auditable: All actions performed during the JIT access period are logged for accountability.
- Automated Expiry: Permissions are revoked automatically after the time window or task completion.
Use Cases:
- Privileged Account Management: Grant administrators access to sensitive systems only during maintenance or troubleshooting.
- DevOps: Provide developers temporary access to production environments during deployments.
- Cloud Administration: Temporary elevated permissions for managing cloud resources in Azure or AWS.
Example in Azure:
Azure Active Directory’s Privileged Identity Management (PIM) supports JIT by allowing admins to:
- Activate roles only when needed.
- Specify access duration.
- Enforce MFA for role activation.
Just Enough Administration (JEA)
JEA is a security feature that limits the administrative privileges of users or systems to the bare minimum required to perform specific tasks, following the principle of least privilege. It is commonly implemented in Windows environments, especially for PowerShell-based administration.
Key Features:
- Task-Specific Permissions: Users perform administrative tasks without full admin rights.
- Role Definitions: Permissions are defined through roles or session configurations in PowerShell.
- Auditing: Every command executed in a JEA session is logged.
- Restricted Environments: Users operate in a constrained environment with access to only approved cmdlets and parameters.
Use Cases:
- IT Helpdesk: Allowing support staff to reset passwords or unlock accounts without full domain admin rights.
- Server Administration: Delegating tasks like service restarts or application updates without giving full server access.
- Compliance: Enforcing strict access controls for sensitive systems while maintaining usability.
Example in PowerShell:
A JEA configuration defines:
- Role Capabilities: A list of tasks the user can perform, such as restarting services or managing specific files.
- Session Configuration: A PowerShell session that enforces the defined role capabilities.
# Sample Role Capability File
New-PSRoleCapabilityFile -Path "C:\Program Files\WindowsPowerShell\Modules\MyJEARole\MyJEARole.psrc" -VisibleCmdlets 'Get-Service', 'Restart-Service'
# Register a JEA Session
Register-PSSessionConfiguration -Name "MyJEASession" -RoleDefinitions @{ 'Contoso\HelpDesk' = @{ RoleCapabilities = 'MyJEARole' } }
Comparison of JIT and JEA
| Feature | Just-In-Time (JIT) | Just Enough Administration (JEA) |
|---|---|---|
| Purpose | Temporary access for specific tasks. | Minimal permissions for task-specific administration. |
| Access Duration | Time-bound; permissions expire automatically. | Persistent but limited to specific tasks. |
| Scope | Broader; applies to roles or access to systems/resources. | Narrow; limits access to specific PowerShell cmdlets. |
| Implementation | Managed through identity platforms (e.g., Azure AD PIM). | Configured via PowerShell session and role definitions. |
| Use Cases | Cloud admin, DevOps, emergency access. | IT Helpdesk, server administration, compliance. |
| Key Benefit | Reduces standing privileges and attack surface. | Prevents misuse of administrative rights in Windows systems. |
How They Work Together:
- JIT focuses on the duration of access, ensuring no one retains privileges longer than necessary.
- JEA ensures users have only the specific permissions they need to perform their duties, even during their JIT access window.
For example, an admin using JIT to access a server might only have permissions defined through JEA, such as restarting services but not modifying critical configurations. This combination provides robust security and operational control.