JIT Access Platform
What Is the JIT Access Platform?
The JIT (Just-In-Time) Access Platform provisions temporary, scoped Non-Human Identities (NHIs) via approval and policy flow, with enhanced auditing and access trail.
It supports Azure, AWS, and GitHub, and requires additional onboarding outside SailPoint Entro's main platform. Its main goal is to replace standing access with time-bound credentials.
Instead of long-lived service accounts with permanent permissions, teams request:
-
Temporary credentials
-
Specific permissions
-
Explicit expiry
The platform has two interfaces:
-
JIT Portal: request, approve, and manage from a UI.
-
JIT MCP Server: request and manage programmatically from AI agents.
Key Capabilities
Multi-cloud support
-
Azure: temporary App Registrations with RBAC roles and Graph API permissions.
-
AWS: temporary IAM Users or IAM Roles (STS session credentials).
-
GitHub: temporary GitHub App installation tokens with scoped repo permissions.
Credential lifecycle management
-
Request: users or agents request credentials with scope and expiry.
-
Approve / reject: admins review, unless automation handles it.
-
Rotate: generate new credentials for an approved request.
-
Revoke: invalidate credentials before expiry.
-
Delete NHI: remove the cloud identity and associated credentials.
Automation policies & evaluation
-
Auto-approve for safe request patterns.
-
Auto-decline for dangerous patterns.
-
Policies can check permissions, repos, cloud configs, and max expiry.
Evaluation order
- Auto-decline (highest priority first)
- Auto-approve (highest priority first)
- Manual review (pending)
Secure credential storage (vaulting)
-
Azure Key Vault: Azure credentials.
-
AWS Secrets Manager: AWS credentials.
-
GitHub Repository Secrets: GitHub tokens.
Note
Credentials are shown once at approval time, later they can be retrieved from their vaults.
Audit trail
Every action is logged, includes requests, approvals, rejections, rotations, and revocations.
Expiry controls
Expiry depends on provider constraints and NHI type.
-
Azure App Registrations: 1 day to 1 year (custom date supported).
-
AWS IAM Users: 1 day to 1 year (custom date supported).
-
AWS IAM Roles: 1 hour to 12 hours (STS constraint).
-
GitHub App tokens: fixed 1 hour (GitHub constraint).
Authentication & RBAC
Users with the Admin role on the SailPoint Entro Platform can use the same login method to access JIT and request credentials. Setup roles in SailPoint Entro Portal → Settings → User Management.
SailPoint Entro supports manual role assignment and IDP Group mapping.