Skip to content

JIT Access Platform

What Is the JIT Access Platform?

The JIT (Just-In-Time) Access Platform provisions temporary, scoped Non-Human Identities (NHIs) via approval and policy flow, with enhanced auditing and access trail.

It supports Azure, AWS, and GitHub, and requires additional onboarding outside SailPoint Entro's main platform. Its main goal is to replace standing access with time-bound credentials.

Instead of long-lived service accounts with permanent permissions, teams request:

  • Temporary credentials

  • Specific permissions

  • Explicit expiry

The platform has two interfaces:

  • JIT Portal: request, approve, and manage from a UI.

  • JIT MCP Server: request and manage programmatically from AI agents.

Key Capabilities

Multi-cloud support

  • Azure: temporary App Registrations with RBAC roles and Graph API permissions.

  • AWS: temporary IAM Users or IAM Roles (STS session credentials).

  • GitHub: temporary GitHub App installation tokens with scoped repo permissions.

Credential lifecycle management

  • Request: users or agents request credentials with scope and expiry.

  • Approve / reject: admins review, unless automation handles it.

  • Rotate: generate new credentials for an approved request.

  • Revoke: invalidate credentials before expiry.

  • Delete NHI: remove the cloud identity and associated credentials.

Automation policies & evaluation

  • Auto-approve for safe request patterns.

  • Auto-decline for dangerous patterns.

  • Policies can check permissions, repos, cloud configs, and max expiry.

Evaluation order

  1. Auto-decline (highest priority first)
  2. Auto-approve (highest priority first)
  3. Manual review (pending)

Secure credential storage (vaulting)

  • Azure Key Vault: Azure credentials.

  • AWS Secrets Manager: AWS credentials.

  • GitHub Repository Secrets: GitHub tokens.

Note

Credentials are shown once at approval time, later they can be retrieved from their vaults.

Audit trail

Every action is logged, includes requests, approvals, rejections, rotations, and revocations.

Expiry controls

Expiry depends on provider constraints and NHI type.

  • Azure App Registrations: 1 day to 1 year (custom date supported).

  • AWS IAM Users: 1 day to 1 year (custom date supported).

  • AWS IAM Roles: 1 hour to 12 hours (STS constraint).

  • GitHub App tokens: fixed 1 hour (GitHub constraint).

Authentication & RBAC

Users with the Admin role on the SailPoint Entro Platform can use the same login method to access JIT and request credentials. Setup roles in SailPoint Entro Portal Settings User Management.

SailPoint Entro supports manual role assignment and IDP Group mapping.