1. Planning.

• Assessment
  Begin by identifying who in the AFAS infrastructure needs access, what resources they require, and why. Document existing rights and examine whether they can be minimized or completely removed. An entitlement discovery tool can be helpful for gaining better visibility.
• Policy creation
  Formulate coherent policies for both providing and withdrawing access. Include precise guidelines about who can request access, under what situations, and for how long. Particularly for elevated roles, establish time-limit parameters.
• Source of truth
  Synchronize your JIT access system with an Identity Provider (e.g., Okta, Google Workspace, Azure AD, OneLogin). This needs to be the definitive source for identities. De/escalating individual identities rather than shared accounts will facilitate better control over authorization and accuracy in audits.

2. Execution.

• Self-serve access requests
  Make the process easier by allowing users to request access via the system, not person-to-person. Boost acceptance rates by combining with IM platforms like Slack or MS Teams. Make sure requests clearly state the requester, the needed service/resource/role, period, and reason.

• Approval process
  JIT access enables organizations to entrust approvals to individuals with business context. Resource owners and business unit managers often have better context than IT helpdesks. Use messaging platforms for quick responses, giving approvers all essential information for an informed decision.

• Conditional approval workflows  
  Incorporate your predefined policies into workflows determining access permissions. Weave them into workflows deciding who can access what and under which stipulations. One effective way to do this is through assigning if-then conditions. For example, IF identity group "X" asks to access "Y", seek "Z"s approval and notify "M".

• Integrations
  Think about incorporating JITA with other IT and security systems for more flexibility; link with IT ticketing systems for automated access corresponding with the ticket status. Join with data classification systems to tweak policies according to data sensitivity. Ideally, the ability to tag resources and bundle them can simplify this process. Work with on-call schedule software for automatic approvals in emergencies. Utilize training systems to provide access based on training completion.
• Automated provisioning and deprovisioning
  Familiarize yourself with AFAS to grant and withdraw access automatically within the service effectively. This is crucial for JIT Access as it lessens dependence on people's availability. The potential for automated deprovisioning of access lies at the heart of JIT access and the principle of least privilege access (POLP). Ideally, you'll be managing all permissions in one location, eliminating the need to construct or manage an environment for every app in your organization.
• Access methods
  For AFAS JIT Access, APIs are suggested due to their adaptability and real-time potentials, but a blend might be necessary. For instance, using SAML for authentication, SCIM for user provisioning, and APIs for specific access control decisions.

3. Maintenance.

• Regular audits
  Perform regular checks on access logs to confirm that JIT access is operating as planned. Search for any abnormal patterns or actions either directly or by inputting the logs into your SIEM. You can automate the user access review process to speed up evidence gathering, delegate reviewers, and ensure your system adheres to relevant industry rules or norms.
• User training
  Teach users, especially those in elevated roles, about the importance of least privilege, JIT Access, and its functionality. Ensure that users know how to request access when necessary.
• Feedback loop
  Regularly review your JIT access protocols. Solicit views from users and IT staff to discern where enhancements can be made.

Through careful adherence to this methodical approach, you can effectively implement a robust Just-in-Time Access system for AFAS.