Feature Request: JIT Provisioning for Non-Vaulted AD Accounts
0 vote
We understand that Devolutions Server (DVLS) currently does not support Just-in-Time (JIT) provisioning for accounts that aren't stored in the PAM vault. However, we would like to suggest adding this feature.
Use Case:
Our CAD Manager needs to be added to a security group that grants admin rights on specific computers. It would be ideal if the CAD Manager could request JIT access in a self-service manner, allowing us to log when these elevated privileges are granted and used. Currently, importing all privileged accounts into the PAM vault just to enable JIT provisioning seems excessive and potentially exposes these accounts unnecessarily.
Implementing this feature would improve our ability to manage access securely and efficiently.
All Comments (1)
Hi,
Its definitely on our todo, sadly we could not fit it in our next release cycle.
I will try to work out a way in a hackathon style project.
What are your Identity Providers of choice for this feature? I would think that AD and Entra would be the easiest for for us in a first phase.
Also (since I have you...)
What do you think of the following settings?
- AD : Destination OU
- Entra :
Destination AU(we have little customers that have the necessary AD Subscription level, so I would not do it) - Username
- Seed : Use current user's username as seed (e.g. mcote would generate _mcote), or use Checkout ID as seed (e.g JIT1854)
- username format : prefix (_mcote as above), suffix (e.g mcote-jit)
- other?
- Password complexity template
- labels/tags to apply on account (this would help the OPSEC team)
Obviously paired with that would be the target groups to elevate.
Please let me know your thoughts
Maurice