Just-In-Time Access

Manage temporary elevated access for policy-restricted operations with time-limited grants.

Overview

Just-In-Time (JIT) access is a mechanism that grants temporary, time-limited access privileges for operations restricted by the policy engine. When an operator requests elevated access and an administrator approves it, operations with the specified role are permitted only for the designated period.

plaintext

Operator → access request → [pending]
                              ↓ (admin approves)
                            [approved] → ExpiresAt set
                              ↓ (expiration)
                            [expired]

Workflow

Request Access

bash

nefia access request \
  --role admin \
  --hosts "prod-*" \
  --duration 1h \
  --reason "deploy hotfix"

Flag	Description	Default
`--role`	Role name to request	(required)
`--hosts`	Host pattern (glob)	(required)
`--duration`	Validity period	`1h` (configurable)
`--reason`	Reason for the request	(optional; can be made required in config)

View Request List

bash

nefia access list
nefia access list --status pending

Status	Description
`pending`	Awaiting approval
`approved`	Approved (active)
`denied`	Denied
`expired`	Expired
`revoked`	Manually revoked

Approve

bash

nefia access approve <request-id>

Once approved, ExpiresAt is set, and operations with the specified role and host pattern are permitted until that time.

Deny

bash

nefia access deny <request-id> --reason "production access not needed"

Revoke

To revoke privileges before expiration:

bash

nefia access revoke <request-id>

Integration with the Policy Engine

JIT works in conjunction with the policy engine:

The policy engine evaluates at command execution time
The policy denies the operation
The JIT manager checks for active grants
If a valid grant exists, the operation is permitted (JITGranted = true)

Host pattern matching follows filepath.Match semantics:

prod-* — all hosts starting with prod-
web-?? — hosts with two characters following web-
* — all hosts

Configuration

yaml

jit:
  enabled: true
  default_duration: 1h      # Default validity period
  max_duration: 8h           # Maximum validity period
  require_reason: false      # Require a reason
  webhook_name: ""           # Webhook name for JIT event notifications

Auditing and Notifications

All JIT operations are recorded in the audit log:

Operation	Audit Type
Request created	`OpJITRequest`
Approved	`OpJITApprove`
Denied	`OpJITDeny`
Revoked	`OpJITRevoke`

When a webhook is configured, notifications are sent for each event.

Caching

The JIT manager caches grants in memory for 30 seconds for performance. The cache can be manually refreshed with InvalidateCache().

Storage

Grants are persisted in JSONL format at <state-dir>/jit/requests.jsonl. File locking ensures safe concurrent access from multiple CLI processes.