Just-in-Time Admin (JTA) Feature

Summary: Just-in-Time Admin (JTA) is an optional feature for customers of Managed Application Services (EI-MAS) where they have a requirement of needing independent administrator level access to the server(s) running their managed service. Through this optional feature, these customers will be able to immediately self-elevate to the local administrator role on their designated server(s).

JTA Overview

The Managed Application Services (EI-MAS) team offers two levels of managed services to campus: Core Application Services (CAS) and Specialized Application Services (SAS). For both of these service offerings, MAS staff act as the systems administrators and retain the exclusive ownership of local administrator access internally. At the same time, we recognize that there are certain situations where a customer requires access to the server(s) running their services at the highest privilege level of local administrator. To allow for these situations, we have added an additional feature to our offering for managed Windows Servers of Just-in-Time Admin (JTA).

Once enabled for a specific server, the customer will be allowed to self-elevate their admin ID (required) into the role of local administrator for a set period of time (default is 4 hours). This self-elevation can happen 24x7 and does not require an approval at the time of request. Once the time has elapsed, their account is automatically removed from the local administrator role. We are leveraging the Access Management service from ITS Identity and Access Management (IAM) to enable this feature.

In order to follow University of Iowa security policies, MAS has adopted a stance of least privilege access for application servers we manage. MAS will not allow this JTA feature unless approved by MAS leadership for the designated server(s). Most requests for server access to manage specific aspects of the application can be configured without requiring local administrator rights. MAS leadership evaluates requests for this feature by asking the question “Can MAS grant access to the server(s) at a non-administrator level and still allow the customer the ability to independently manage their application?” Examples of access we can allow without local administrator:

  • Logon to server to check settings
  • Copy and edit local files in designated folders
  • Logon locally to stop/start services
  • Logon locally to launch an application
  • Logon locally to reboot the whole server

If we are unable to meet the requirements through other steps, we will work with our customers to configure their server(s) for JTA. Even though a customer may be using JTA, we still value the partnership and MAS sysadmins are responsible for many aspects of managing the servers. We stress good, collaborative communications between our customers’ technical staff and MAS sysadmins. The more that MAS is aware of on your applications, the more able we are to quickly help resolve issues.

Requesting JTA

Request for JTA configuration is initiated by completing our ITS-EI-JTA Request Form

 Required information includes:

  • Justification for enabling the feature
  • List of Admin IDs that will be allowed JTA access
  • Hostname for servers
  • Services supported by these servers

Requests are reviewed by MAS leadership in conjunction with systems administrators. Once approved, customers are notified, and a meeting is setup to finalize the process and gather final information. In order to avoid false alerts, MAS staff will work with the customer to direct alerting to their own technical staff. MAS feels it is important that customers get any system generated alerts first since they could be caused by their own actions when working on their servers. These alerts can be sent a variety of different ways with email and Teams channels being most common. If the customer’s technical staff wants any assistance in troubleshooting problems, MAS systems administrators are on-call and available 24x7 to assist. For assistance on a MAS managed server, please follow our business and after-hours contact methods.

How to use JTA

Here are the steps that technical staff will follow to self-elevate using JTA:

  1. Login to IAM Access Management with your HawkID.
  2. Locate the “ITS-EI-JTA” service along the left, and then select the desired resource
    1. If you cannot see the resource, please contact its-ei-mas@iowa.uiowa.edu so that they may grant you the Viewer Role
  3. Verify the correct group is listed and click the blue Elevate button on the Members tab
    1. If you do not see this button, you may not have been granted the Just-in-Time Access privilege
Picture of customer dashboard resource group dialog box
  1. Verify your admin ID is listed, provide a valid reason for why you need JTA at this time, and click the blue Accept button. Provide as much detail as possible. (255 character limit)
Picture of customer self-elevate justification window
  1. Your admin ID should now appear as a member of the group and you have admin access to the designated servers. Access will be automatically removed when the time expires.
Picture of Resource Group membership after self-elevate
  1. If additional time is needed, you can complete these steps again.
  2. Logoff, not disconnect, when your work is completed.

How do I add/remove others to my JTA resource?

Email its-ei-mas@iowa.uiowa.edu with the AdminID(s) you want to add or remove for the JTA resource. Please note that using domain groups and HawkIDs are not supported.

How do I get server support for JTA service if needed?

For assistance on a MAS managed server, please follow our business and after-hours contact methods.

Where can I get more information?
Last updated
Article number
11481