[FEATURE][AUTH]: Just-in-time (JIT) access and temporary privilege elevation #2227
Description
⏱️ Feature: Just-in-Time (JIT) Access & Temporary Privilege Elevation
Goal
Implement a Just-in-Time (JIT) Access system that allows temporary privilege elevation with approval workflows, automatic expiration, and enhanced auditing for incident response and least-privilege compliance.
Why Now?
- Least Privilege: Standing elevated access violates least privilege principles
- Incident Response: Engineers need temporary access during incidents without permanent elevation
- Compliance: FedRAMP AC-6 and HIPAA require demonstrable least privilege
- Audit Requirement: All elevated access must be justified and tracked
- Break-Glass Scenarios: Need controlled emergency access with full audit trails
📖 User Stories
US-1: Developer - Request Elevated Access
As a Developer
I want to request temporary elevated access
So that I can respond to a production incident
Acceptance Criteria:
Given I need temporary admin access:
When I request JIT access:
POST /jit/request
{
"role": "incident-responder",
"duration_hours": 4,
"reason": "INC-1234: Production database performance issue",
"ticket_url": "https://jira.example.com/INC-1234"
}
Then:
- Request is submitted for approval
- Approver is notified
- I receive request ID for tracking
And when approved:
- I immediately gain elevated privileges
- Access expires after 4 hours
- All actions are logged with enhanced detailUS-2: Security Admin - Approve JIT Request
As a Security Administrator
I want to approve or deny JIT access requests
So that I can control elevated access
Acceptance Criteria:
Given a JIT request is pending:
When I review the request:
Then I see:
- Requester identity and normal permissions
- Requested role and duration
- Justification and linked ticket
- Risk assessment (what new permissions granted)
And I can:
- Approve with optional scope reduction
- Deny with reason
- Request additional justificationUS-3: Security Team - Monitor JIT Access Usage
As a Security Team Lead
I want to monitor all JIT access usage
So that I can detect misuse
Acceptance Criteria:
Given JIT access is granted:
Then:
- Real-time alerts when JIT access is used
- All actions logged with JIT context
- Dashboard shows active JIT grants
- Alerts on unusual activity during JIT sessions
And when JIT expires:
- Access is immediately revoked
- Session summary is generated🏗 Architecture
JIT Access Flow
sequenceDiagram
participant User as User
participant JIT as JIT Service
participant Approver as Approver
participant PDP as Policy Engine
participant Audit as Audit Log
User->>JIT: Request elevated access
JIT->>JIT: Validate request
JIT->>Approver: Send approval notification
alt Approved
Approver->>JIT: Approve request
JIT->>JIT: Activate grant (set expiry)
JIT->>PDP: Register temporary permissions
JIT->>Audit: Log grant activation
JIT->>User: Access granted (4 hours)
loop During grant period
User->>PDP: Access request
PDP->>PDP: Check JIT grants
PDP->>Audit: Log with JIT context
end
JIT->>JIT: Timer expires
JIT->>PDP: Revoke temporary permissions
JIT->>Audit: Log grant expiration
JIT->>User: Access expired notification
else Denied
Approver->>JIT: Deny with reason
JIT->>Audit: Log denial
JIT->>User: Request denied
end
JIT Grant Schema
{
"id": "jit-uuid",
"requester_email": "developer@example.com",
"requester_normal_roles": ["developer"],
"granted_role": "incident-responder",
"granted_permissions": [
"servers.admin",
"tools.admin",
"logs.read"
],
"justification": "INC-1234: Production database issue",
"ticket_url": "https://jira.example.com/INC-1234",
"approved_by": "security-admin@example.com",
"approved_at": "2024-01-15T10:00:00Z",
"starts_at": "2024-01-15T10:00:00Z",
"expires_at": "2024-01-15T14:00:00Z",
"status": "active",
"actions_taken": 47,
"revoked_by": null,
"revoke_reason": null
}📋 Implementation Tasks
- Create JIT service with grant management
- Implement JIT request API
- Implement approval workflow
- Add automatic expiration with scheduler
- Integrate with PDP for temporary permissions
- Add enhanced audit logging for JIT actions
- Implement notification system (email, Slack, webhook)
- Create break-glass emergency access (bypass approval)
- Add Admin UI:
- Request submission form
- Approval queue
- Active grants dashboard
- JIT audit viewer
- Write unit tests
- Create documentation
- Pass
make verifychecks
⚙️ Configuration Example
jit_access:
enabled: true
# Request settings
max_duration_hours: 8
default_duration_hours: 4
require_justification: true
require_ticket_url: false
# Approval
require_approval: true
approver_roles:
- security-admin
- platform-admin
auto_approve_for_roles: [] # Roles that don't need approval
approval_timeout_hours: 24
# Break-glass (emergency)
break_glass:
enabled: true
require_mfa: true
notify_security_team: true
max_duration_hours: 2
# Expiration
expiration_warning_minutes: 15
auto_extend: false
max_extensions: 0
# Notifications
notifications:
on_request: true
on_approval: true
on_activation: true
on_use: true
on_expiration: true
channels:
- email
- slack
# Audit
enhanced_audit: true
session_summary: true✅ Success Criteria
- JIT request and approval workflow functional
- Automatic expiration working
- PDP integration for temporary permissions
- Enhanced audit logging for JIT sessions
- Break-glass emergency access
- Notifications on key events
- Admin UI for JIT management
- Session summary generation
- 80%+ test coverage
🔗 Related Issues
- [EPIC][SECURITY]: Policy-as-code security and compliance automation platform #2222 - Epic: Policy-as-Code Security & Compliance Platform
- [FEATURE][POLICY]: Unified policy decision point (PDP) - Cedar/OPA/native abstraction #2223 - Unified Policy Decision Point
- [EPIC][SECURITY]: Security clearance levels plugin - Bell-LaPadula MAC implementation #1245 - Security Clearance Levels Plugin (MAC integration)