Default PAM JIT group assingment
4 votes
We use JIT (Just-In-Time) access for temporary Domain Admin, Schema Admin, and Enterprise Admin rights. This works well, as these elevated rights are only needed occasionally. It's not an issue for users to manually check the checkbox when these rights are required.
In the future, we plan to add our ServerOperators group to JIT as well, since this group is necessary for the daily work of our system administrators.
Question:
Is it possible to automatically assign a group (right) when a user checks out an account via PAM?
Use case:
- User-X does not have any special group memberships by default, only Domain Users.
- User-X checks out an account via PAM.
- JIT automatically assigns a group (e.g., ServerOperators) without requiring the user to manually select it during checkout—ideally, the group is pre-selected by default.
Rationale:
The idea is that the account should function as a normal user by default. For example, the user works only 2 days abd need elevated permissions (e.g., ServerOperators) two days per week.
During the remaining days, if the account were to be compromised, it would only have standard user rights (Domain Users), thus reducing the attack surface. 
All Comments (7)
Hello,
Thank you for your request. We have already received a similar request here. We would like to address that in the short to mid term. Would it work for you if the group were selected by default, even if the user could uncheck it? I just want to confirm that you do not expect the default group to be hidden and added automatically during the checkout. Let us know if having default groups selected by default would be a good solution for you.
Best regards,
François Dubois
Hello,
At the moment, we have version 2025.3 installed, and I was hoping there would be an option to set a default checkout JIT group. I can’t seem to find this option.
As an example, here’s a screenshot showing how it can be configured at the user level — maybe this could be an idea?
In this example, when “Domain Admins” is selected, the user would always be checked out with these rights by default. If necessary, the user could still select a different group during checkout, such as “Schema Admins.”
ad76ad17-194c-4f46-bc75-df1f760dec17.png
Hi @freddy1
We've gotten a few similar but not exactly the same requests related to default elevation groups. One of the requests we're planning on implementing is on a per session basis. Example would be in an RDP entry when linking the PAM account, you could also select the default group to elevate as for that entry. It would be a control with multiple options, the options we are planning on adding are:
Prompt (current behaviour)
Inherited from privileged account (allows users to set a default group at the privileged account level)
Custom (session specific)
Would this work for you as well? Would love to hear thoughts on this.
Cheers,
Luc Fauvel
Hello Luc,
We've discussed your proposal internally, but we believe it doesn't fully align with our desired workflow.
For your information, each administrator has a personal PAM account (adm-username). This account is member of the AD-group sysadmin_task which provides sufficient rights for daily normal activities.
When a user starts working, they always check out their personal PAM account (adm-freddy). They usually don't need to become a "domain admin," so they can start working without checking anything in the checkout screen. No one needs to grant permission for a PAM checkout either.
Our preference is that when someone checks out from their admin-username account, they automatically become a member of the sysadmin_task group. This group is removed upon checkin. If someone needs "domain admin" rights, they can check this box themselves.
We would therefore like to set a default checkout group at the user level, not at the jump item level.
The main reason is that the admin-freddy account no longer has any rights by default. By linking the sysadmin-task group to JIT at checkout, it temporarily gains the correct rights. We can configurate it right now with JIT but I see that the user than always choise "domain admin" rights because imagine if you ever need this during the day.
We would like to configure this at the user level a default checkout group.
Hi @freddy1,
In my proposal above, your desired behaviour should be achievable if you set your sessions to “Inherit from privileged account” and set the default elevation group on your privileged account itself.
If I’m misunderstanding please let me know.
Cheers,
Luc Fauvel
Hi Luc,
Your proposal is pretty much in line with our needs, but if I understand correctly, the sysadmin can determine the default checkout JIT role during checkout. In my experience, some administrators then simply select "DomainAdmin" by default so he has always the maximum rights. Because that's convenient. That's why I wanted to set it as DVLS administrator and not the RDM end-user.
Perhaps it's an option to prevent certain JIT groups from being selected as the default checkout group. That is perhaps the best of both worlds.
Hi @freddy1,
In the scenario where we implement the feature that I've described above, if you want to prevent the end users from changing the group, you could achieve that by disabling edit access on both the PAM account and the machines, thus preventing the end user from modifying the default group. Any other type of restriction would require a privilege set. Let me know if there's anything else.
Cheers,
Luc Fauvel