> For the complete documentation index, see [llms.txt](https://learn.netmaker.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://learn.netmaker.io/features/conditional-access/just-in-time-access.md).

# Just In Time Access

### Overview

JIT (Just-In-Time) Access is a security feature that allows network administrators to implement approval-based access control. Instead of granting permanent access to network resources, administrators can require users to request temporary access, which must be approved before the user can connect to the network.

**JIT Access can be enabled for all non-admin users or restricted to selected user groups, allowing administrators to apply approval-based access controls only where needed.**

 

This feature is particularly useful for:

•      Implementing zero-trust security principles

•      Providing temporary access to contractors or external users

•      Enforcing time-limited access to sensitive network resources

•      Maintaining detailed audit trails of network access

 

### Key Features

#### Request-Based Access

Users must submit a request to access the network, providing a reason for their access need. Administrators review these requests and can either approve or deny them based on business requirements and security policies.

#### Time-Limited Access

Administrators can explicitly set the duration that users are allowed access. This ensures that access automatically expires after the specified time period, reducing the risk of unauthorized or forgotten access permissions.

#### **Group-Based Access Control**

JIT Access can optionally be scoped to specific user groups within a network. Users within the configured groups must request access before connecting to the network. 

<figure><img src="/files/EArLnLFOdDfxgBmq9NYG" alt=""><figcaption></figcaption></figure>

Non-admin users belonging to configured groups must request access before connecting to the network. Upon approval, access is granted for a specified duration and automatically revoked when the approval period expires.

**Flexible Access Control**

Networks can be configured to:

* Require JIT approval for all non-admin users (Leave empty)
* Require JIT approval only for selected groups
* Exempt trusted groups from the JIT workflow

#### Request Management Dashboard

<figure><img src="/files/o8TGT7N6wFxb8pUzRttS" alt=""><figcaption></figcaption></figure>

The JIT Requests interface provides a comprehensive dashboard for managing all access requests with the following capabilities:

• View all requests across different states (Pending, Approved, Denied, Expired/Revoked)

• Filter and search through pending requests

• Quick approval or denial actions

• Track request timestamps and remaining time

#### Email Notifications

Email notifications keep both admins and users informed throughout the access request lifecycle:

Admin Notification (Access Request Received):

When a user requests access, the network admin receives an email containing:

• Requesting user name

• Network name

• Reason (if provided)

• Direct link to review the request

&#x20;

<figure><img src="/files/t2Ll2JI7ba1l3IvbCQkR" alt=""><figcaption></figcaption></figure>

User Notification (Access Approved/Denied):

When an admin processes a request, the user receives an email notification with the decision and relevant details.

&#x20;

<figure><img src="/files/6jKnFiqsnggCp60MfTxA" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
*Important: Email notifications depend on your email setup. If you're self-hosting Netmaker, you must* [*configure SMTP*](https://learn.netmaker.io/how-to-guides/how-to-secure-it-operations-with-netmaker#setting-up-smtp-self-hosted) *under server settings first. Without proper SMTP configuration, email notifications will not be sent.*
{% endhint %}

&#x20;

### Configuration

#### Enabling JIT Requests

To enable JIT Requests for a network:

1. Navigate to the JIT Requests interface of your network in the admin dashboard
2. Toggle the feature to 'Enabled'

<figure><img src="/files/GdcUwLi34SlzFG1BekA4" alt=""><figcaption></figcaption></figure>

**Note**: Once enabled, approval will be required before connecting to the network, but only for non-admin sers accessing it via the [Netmaker Desktop](https://learn.netmaker.io/getting-started/server-and-client-management/client-installation/netmaker-desktop-installation?q=netmaker+desktop).

### User Experience

#### Accessing Networks via Netmaker Desktop

Platform users and service users interact with JIT-enabled networks through the **Netmaker Desktop** application. The application provides a clean interface showing all available networks and their current access status.

#### Network Display States

In Netmaker Desktop, networks are displayed with different states depending on JIT configuration and current access status:

&#x20;

<figure><img src="/files/eGl04c1nxgdeEbx1Sg8d" alt=""><figcaption></figcaption></figure>

<table data-header-hidden><thead><tr><th width="249" valign="top"></th><th valign="top"></th><th valign="top"></th></tr></thead><tbody><tr><td valign="top">Display</td><td valign="top">State</td><td valign="top">User Action</td></tr><tr><td valign="top">Request button</td><td valign="top">Network requires JIT approval and user has no active access</td><td valign="top">Click 'Request' to submit an access request</td></tr><tr><td valign="top">Access request pending (grey)  </td><td valign="top">Request has been submitted and is awaiting administrator approval</td><td valign="top">Wait for administrator to approve or deny the request</td></tr><tr><td valign="top">Active (green check)</td><td valign="top">Access approved and currently active</td><td valign="top">Users can toggle the connection on or off within the approved access period</td></tr></tbody></table>

#### Requesting Access via Netmaker Desktop

When a user needs to access a JIT-enabled network through Netmaker Desktop:

1\.    User opens Netmaker Desktop application

2\.    User sees the list of available networks

3\.    For **JIT-enabled networks** without active access, a 'Request' button is displayed

4\.    User clicks 'Request' button

5\.    User provides a reason for access in the request dialog

6\.    Request is submitted to administrators for review

7\.    User waits for approval (request appears in admin dashboard as 'Pending')

8\.    Once approved, the network becomes active with a timer showing remaining access time

9\.    User can toggle the connection on/off during the approved time window

&#x20;

**Example from Netmaker Desktop:**&#x20;

<figure><img src="/files/QdJIV6jQ9fVa0I9yeYUH" alt=""><figcaption></figcaption></figure>

'**office-network**' shows a 'Request' button (needs to be requested), '**staging-internal**' displays 'Access request pending' (waiting for admin approval), and '**zero-path**' shows an active connection with toggle controls and an expiration countdown of 29 days and 23 hours.

&#x20;

### Managing Access Requests (Admin Dashboard)

#### JIT Requests Interface Overview

Administrators manage all access requests through the web-based admin dashboard. The request management interface displays all access requests with the following information:

<figure><img src="/files/QmaMO5PFsGACC6sXSC6x" alt=""><figcaption></figcaption></figure>

<table data-header-hidden><thead><tr><th valign="top"></th><th valign="top"></th></tr></thead><tbody><tr><td valign="top">Field</td><td valign="top">Description</td></tr><tr><td valign="top">User</td><td valign="top">Email address or identifier of the user requesting access</td></tr><tr><td valign="top">Requested</td><td valign="top">Timestamp showing when the access request was submitted (e.g., '5 minutes ago')</td></tr><tr><td valign="top">Status</td><td valign="top">Current state of the request: Pending, Approved, Denied, or Expired/Revoked</td></tr><tr><td valign="top">Reason</td><td valign="top">User-provided justification for why they need network access</td></tr><tr><td valign="top">Managed By</td><td valign="top">Administrator who processed the request </td></tr><tr><td valign="top">Time Left</td><td valign="top">Remaining duration of approved access </td></tr></tbody></table>

&#x20;

#### Approving Access Requests

To approve a pending access request:

1\. Review the request details including the user, reason, and request timestamp

2\. Click the 'Grant Access' button next to the request

<figure><img src="/files/3sQqxD3kDUZaSFoGWWQl" alt=""><figcaption></figcaption></figure>

3\. Specify the duration for which access should be granted

4\. Confirm the approval

&#x20;

The user will be notified of the approval. In Netmaker Desktop, the network will change from showing a 'Request' status to displaying an active connection with a countdown timer (e.g., 'Access expires in 29d 23h').

<figure><img src="/files/0e63RTXZvUrpUJS2fGIO" alt=""><figcaption></figcaption></figure>

&#x20;

#### Denying Access Requests

To deny a pending access request:

1\. Review the request details

2\. Click the 'Deny' button

<figure><img src="/files/iXNyvtDtCkHYAIiDaytx" alt=""><figcaption></figcaption></figure>

3\. Confirm the denial

&#x20;

The user will be notified of the denial and the 'Request' button will be available in Netmaker Desktop if they need to submit a new request with updated justification.

&#x20;

### Best Practices

#### For Administrators

1. Review requests promptly to minimize user wait times and maintain productivity
2. Set appropriate access durations based on the user's stated need, avoid long or short periods
3. Monitor the Expired/Revoked tab regularly to identify patterns in access requests
4. Use the search functionality to quickly find specific user requests
5. Consider user patterns - if a user regularly requests access, evaluate if a longer duration or different access model is appropriate

&#x20;

#### For Users

1. Provide clear, specific reasons for access requests to expedite approval<br>

   <figure><img src="/files/GLPW1F0rpU7NJYFft7Ve" alt=""><figcaption></figcaption></figure>

2. Request access in advance when possible to account for approval time

3. Monitor your access timer in Netmaker Desktop to know when your access will expire\ <br>

   <figure><img src="/files/5xd2U3lI8tSpoiUgHYEh" alt=""><figcaption></figcaption></figure>

4. Disconnect when finished to demonstrate good security practices, even if time remains

5. Plan ahead for extended work - if you need access for an entire day, mention this in your request reason

&#x20;

### Security Considerations

1. Audit Trail: All requests are logged with timestamps, user information, and reasons, providing a complete audit trail of network access<br>

   <figure><img src="/files/JA86KLnGjy9NAgPedaT3" alt=""><figcaption></figcaption></figure>
2. Principle of Least Privilege: Time-limited access ensures users only have access when needed, automatically revoking permissions after the approved duration
3. Zero Trust Architecture: Supports zero-trust principles by requiring explicit approval for each access instance, never granting permanent access by default
4. Compliance: Helps meet regulatory requirements for access control and monitoring, including SOC 2, ISO 27001, and other security frameworks
5. User Accountability: Requiring users to provide reasons for access creates accountability and discourages unnecessary access requests

&#x20;

### Troubleshooting

#### Users aren't receiving admin emails

1. Confirm email is configured on the server (self-hosted instances must configure SMTP under server settings)
2. Check spam filtering
3. Verify the admin's email address is correct

#### A user can't connect after being approved

1. Confirm the grant hasn't expired - check the countdown timer
2. Ask the user to refresh the network list in Netmaker Desktop
3. Confirm the user is trying to connect to the correct network

*If you experience any difficulties, we’re here to* [*help*](https://www.netmaker.io/contact)*.*

### Common Use Cases

#### 1. Contractor Access

Grant temporary access to external contractors for specific projects or maintenance windows without creating permanent accounts. Contractors use Netmaker Desktop to request access, and administrators can approve time-limited access matching the project timeline.

#### 2. Elevated Privilege Scenarios

Require approval for users needing temporary elevated access to sensitive network segments or resources. Even trusted employees can request JIT access for specific tasks that require higher permissions.

#### 3. Break-Glass Access

Implement emergency access procedures where users can request immediate access for critical situations, with full audit logging. Administrators can quickly review and approve urgent requests while maintaining security oversight.

#### 4. Shift-Based Access

Control access based on work shifts, requiring users to request access only during their scheduled hours. This ensures that off-duty staff don't have lingering network access.

#### 5. Temporary Remote Work

Employees working remotely on specific days can request access for that day only, rather than maintaining permanent VPN access. This is particularly useful for hybrid work environments.

&#x20;

### Technical Details

1. [User Management](https://learn.netmaker.io/features/user-management) enables administrators to create and manage users, assign roles, and control access to networks and resources.
2. [Netmaker Desktop](https://learn.netmaker.io/getting-started/server-and-client-management/client-installation/netmaker-desktop-installation) is the official netmaker client application used by users to securely access private networks, remote resources, and internet access.
3. [Admin Dashboard (NMUI)](https://learn.netmaker.io/references/user-interface?q=netm) is a web-based management interface used by administrators to configure, control, and monitor network resources.

### Summary

JIT Requests provides a powerful mechanism for implementing time-bound, approval-based access control to your network. By requiring explicit approval and setting time limits on access, this feature significantly enhances network security while maintaining flexibility for legitimate access needs.

The seamless integration with Netmaker Desktop ensures users have a simple, intuitive experience when requesting and using temporary access, while administrators benefit from a comprehensive dashboard that makes request management efficient and provides complete audit trails for compliance and security monitoring.

&#x20;


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://learn.netmaker.io/features/conditional-access/just-in-time-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.