UseCase14_JIT_Elevation - sandersdHES/PAMEmergingTech GitHub Wiki

6.14 Configuring Just-in-Time (JiT) Privilege Elevation

Objective

This use case demonstrates how to use Just-In-Time (JIT) privilege elevation in PAM360 to grant users temporary administrative rights on a Windows or Domain resource. This helps minimize persistent admin privileges and reduces the attack surface.

Context

In traditional environments, users often retain permanent admin access to systems, which increases the risk of privilege misuse or compromise. JIT access solves this by:

Providing elevated access only when needed

Automatically revoking access after a defined time window

Keeping full auditability and approval workflows

This aligns with Zero Trust and least-privilege access best practices.

[https://www.youtube.com/watch?v=4GP7mXXdxyA](Video: Configuring JIT in PAM360) [https://www.manageengine.com/privileged-access-management/just-in-time-privilege-elevation.html](Official Guide)

Prerequisites

  • Administrator access to PAM360

  • A configured Windows Server or Domain resource in PAM360

  • An existing Access Control Policy (if using approval workflow)

  • A user account to elevate during the session

Step 1: Go to the Target Resource in PAM360

  1. Navigate to the Resources tab

  2. Locate your Windows or Domain-joined machine

  3. Click the Action icon (⋮) next to the resource

  4. Select Configure > Access Control

Step 2: Enable Just-In-Time Privilege Elevation

  1. In the Access Control window, go to the Privilege Elevation tab

  2. Check the box “Elevate account by adding it to local/security groups”

image.png

This tells PAM360 to temporarily add the account to a Windows security group during an approved access session.

Step 3: Select the Groups for Elevation

A list of local or domain security groups will appear. Select one or more groups such as:

  • Administrators

  • Remote Desktop Users

  • Any custom high-privilege group

image.png

These groups define what elevated rights the user will gain during their session.

Step 4: Assign an Admin Account for Elevation Execution

Select an administrator account that PAM360 will use to:

  • Add the requesting user to the selected group(s)

  • Remove them automatically after the session ends

The account must have permission to manage group membership on the resource.

image.png

This step ensures automation of the elevation process.

What Happens During a JIT Session?

  1. A user requests access to a shared resource (e.g., a Windows server)

  2. If Access Control is enabled, the request goes to the admin for approval

  3. Once approved, PAM360:

  • Adds the user to the designated privileged group

  • Starts a timed session

  • Revokes access (removes from group) once the session ends or is checked in

Conclusion

This use case illustrates how PAM360 enables Just-In-Time (JIT) privilege elevation:

  • Provides temporary admin access only when needed
  • Automatically revokes access after a defined period
  • Reduces the attack surface by minimizing persistent privileges
  • Maintains full auditability and approval workflows
  • Aligns with Zero Trust and least-privilege access best practices

🛡️ Privileged Access Management (PAM360) & Admin Bastion Project
🔍 Built with a focus on Zero Trust, credential security, and hands-on Azure lab architecture.
🧠 Created as part of the 2025 Emerging Technologies module at HES-SO.

👨‍💻 Dylan Sanderson    👨‍💻 Johann Von Roten    👨‍💻 Maxime Bossi    👩‍💻 Nadja Lötscher
📚 Explore the Wiki • 📧 Contact us via GitHub if you have questions!

⚠️ **GitHub.com Fallback** ⚠️