Solutions Guide

Just-in-Time Access

Configure time-bound access with approval workflows. Eliminate standing privileges and reduce your attack surface by 90% or more.

Estimated time: 20 minutes

How JIT Access Works

Request

User requests access with duration and reason

Notify

Approvers receive notification in Slack/Teams

Approve

One-click approval from mobile or desktop

Access

Certificate issued, access granted automatically

Configuration Steps

Configure Access Lists

Define who can request access to which resources.

tacctl create -f - <<EOF
kind: access_list
metadata:
  name: production-databases
spec:
  title: "Production Database Access"
  owners:
    - name: sre-team
      description: "SRE team manages production access"
  grants:
    roles: [db-admin]
  audit:
    frequency: monthly
EOF

Set Up Approval Workflows

Configure multi-level approval chains for sensitive resources.

tacctl create -f - <<EOF
kind: access_request
metadata:
  name: prod-approval-policy
spec:
  roles: [db-admin, ssh-admin]
  thresholds:
    - approve: 1
      deny: 1
  suggested_reviewers:
    - team: sre-team
    - team: security
EOF

Integrate with Slack

Enable one-click approvals directly in Slack.

tacctl plugins install slack \
  --token=${SLACK_BOT_TOKEN} \
  --channel=#access-requests

Configure Auto-Approval Rules

Automatically approve low-risk access requests.

tacctl create -f - <<EOF
kind: access_list
metadata:
  name: dev-environment
spec:
  title: "Development Access"
  auto_approve:
    max_duration: 8h
    allowed_roles: [developer]
    resource_labels:
      env: dev
EOF

Request Access

Users can request access via CLI, web UI, or API.

# Request access to production database
tac request access prod-db-1 --duration=4h --reason="Investigating incident INC-1234"

# Check request status
tac request status

# List approved access
tac request list --status=approved

Tiered Approval Configuration

Example: Environment-Based Approvals

# Access policy with tiered approvals
kind: role
metadata:
  name: production-access
spec:
  allow:
    # Development - auto-approve
    request:
      roles: [dev-access]
      max_duration: 8h

  # Production - requires approval
  request:
    roles: [prod-access]
    thresholds:
      - approve: 1
        deny: 1
    suggested_reviewers:
      - team: platform-team
    max_duration: 4h

  # Sensitive data - 2-level approval
  request:
    roles: [pii-access]
    thresholds:
      - approve: 2
        deny: 1
    suggested_reviewers:
      - team: security
      - team: compliance
    max_duration: 2h

JIT Access Enabled

With JIT access configured, your organization benefits from:

Zero standing privileges to production systems
Self-service access requests with approval workflows
Automatic access expiration after TTL
Complete audit trail for compliance

Related Guides

Zero Trust Security

Implement zero trust architecture

Session Recording

Record all access sessions

Machine Identity

JIT for CI/CD and automation