Just-in-Time (JIT) Access for Groups
in progress
D
Domien Van Rompaey
We would like to request the ability to configure Just-in-Time (JIT) Access controls for Groups in Hudu. This would allow administrators to grant time-limited, scoped access to specific users or groups only when it’s needed - mproving overall security and reducing the risk of over-permissioned access.
The Hudu Team
in progress
C
Cameron Granger
Merged in a post:
Azure AD PIM / JIT
Chris Davis
We already use Azure AD SSO to login to Hudu. It would be great if we could also tag certain companies, resources, passwords and or articles requiring approvals with "Just In Time" access.
Currently the permission model in Hudu means that a user can access any password in Hudu, as long as they granted the right permission.
Instead, it would be great if Just-In-Time approvals can be granted to an MSP user to view a password based on certain conditions (handled by the PIM Azure AD service). Authorization can then be allowed one time, or for a short period of time - according to how it's configured in the Azure AD PIM policies.
This would also work for granting JIT access in situations that are not password specific. For example: allowing a Hudu user to change a top level template policy, if approved by JIT approvals. Example 2: Allowing a user to modify a sensitive high level policy KB document that would typically be read-only.
This would allow us to unify Hudu access in a similar way to how we handle RBAC controls for techs in the Microsoft 365 GDAP role.
More from Microsoft: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
TLD: Would be nice to have a way to grant some people, some access, for some small amount of time using JIT / PIM features.