Access requests

Granting access to the resources via the request is a basis of the Just In Time feature. A user requests for access via the Access Gateway, and authorized administrators vote for the request’s approval or rejection on Admin Panel.

In order to set the voting process for access to your resources, follow the procedure:


  1. Select Management > Safes.
  2. Select the safe from the list, or create a new one.
  3. Check the Access request required votes option. Provide a number of the voters that will be deciding about each request to the Safe resources.

Note

  • Users with Admin role and users added as the Granted Users to the Safe are allowed to be the voters.
  • A user, who sent an access request isn’t allowed to vote for access on their own request. Therefore, their own requests aren’t visible for them.
  • Having more than one voter sets a request to be accepted by more than 1 authorized person. If one of the voters votes for rejection, the system automatically rejects the request.
../../_images/5-2-jit-enable.png
  1. Go to the Granted users tab and for the particular user select the Access request sent type of notification.
../../_images/5-2-jit-notifications.png

Note

Notifications are set per node, according to the settings in the Notifications tab. In case of the Access request sent type, notifications are sent from the node, on which the request was created. More on this subject is at the Notifications page.

  1. Click Save.

All the requests are available in the Management section on the Requests tab.


Awaiting requests

The Awaiting tab shows a detailed list of the requests that are waiting for a decision of the currently logged in user. Two types of requests are available for the user who sends an access request: immediate and scheduled.


Immediate requests can be set from now up to the next 24 hours.

When a user sends an immediate request, its access time starts when the request is accepted. Then, the user has 24 hours to start their session. When the user starts the session, the system counts the session time, which the user had requested, and terminates connection when the requested session time is over. If the user does not use the access and does not connect for 24 hours after access is granted, the access becomes expired.

For the scheduled type of requests, the user chooses a time period in the future, including exact time and date.

../../_images/5-1-requests-awaiting.png

Sending response to the request

In order to vote for approval or rejection of the request, follow the steps:

  1. Select Management > Requests tab.
  2. In the Awaiting tab select the request to be processed and click the Response button .
  3. In the modal click the Accept or the Reject button.

Note

The Response reason field is required to activate the rejecting option.

../../_images/5-1-jit-response.png

Note

  • Users who sent the request via the Access Gateway and have their e-mail address configured on the Admin Panel, receive notifications when their request was accepted or rejected.
  • If a user is trying to connect to a server (for example, based on the SSH protocol) via the native client option, but hasn’t sent an access request, a respective message about authentication error is recorded into the Event logs: Unable to authenticate user: safe requires acceptance.

Active requests

The Active tab shows a list of two types of the requests: 1) requests that were accepted, and their sessions are currently ongoing, and 2) requests that are waiting for the part of the voters. The Votes column of the requests list shows a number of voters that the particular request needs to be processed. Hover on its value to see the details of who had voted.

Given vote for accepted and active requests can be revoked, for example, for preventing a possible misuse. This option is useful when the user finished their work earlier than expected, but their request is still valid.

../../_images/5-1-requests-active.png

Archived requests

History of the processed requests is available under the Archive tab.

../../_images/5-1-requests-archive.png

The Votes column of the requests list shows a number of voters that the particular request needed to be processed. Hover on its value to see the details of who voted.

../../_images/en-jit-votes.png

The Just in Time feature also works when there are Fudo instances connected in the cluster. Votes and requests are replicated on nodes in the cluster.

Note

If the admin voted on more than one machine in the cluster and his decisions were contradictory, it will be treated as a single rejecting vote and the accepting vote will be revoked.

Related topics: