1. Planning.

• Assessment
  Start by identifying who needs access, the resources they require, and the motive. Keep track of current access rights and determine if they need to be limited or removed. An entitlement discovery tool might be beneficial for better oversight.
• Policy creation
  Develop clear policies for both granting and revoking access. Make guidelines about who can request access, under what circumstances, and for what duration. Particularly for privileged roles, establish time-bound parameters.
• Source of truth
  Sync your JIT access system with an Identity Provider (for example, Okta, Google Workspace, Azure AD, OneLogin). This becomes the definitive source for identities. Depreciating individual identities over shared accounts enables better authorization control and more accurate audits.

2. Execution.

• Self-serve access requests
  Simplify the process by making users request access through the system, rather than through people. Increase adoption rates by incorporating IM platforms like Slack or MS Teams. Ensure requests are detailed, showing who's asking, the needed service/resource/role, duration, and justification.

• Approval process
  JIT access allows companies to delegate approvals to people with business knowledge. Resource owners and business unit managers normally have superior context rather than IT helpdesks. Quick responses can be facilitated via messaging platforms, ensuring approvers have all essential information for making a decision.

• Conditional approval workflows
  Incorporate your previously defined policies into workflows that grant access permissions. One way to do this is by setting 'if-then' conditions. IF identity group “X” requests access to “Y”, then seek approval from “Z” and notify “M”.

• Integrations
  Consider integrating JIT access with other IT and security systems to increase versatility; link with IT ticketing or data classification systems, or with on-call schedule software. Ideally, your system allows for resource tagging and bundling.
• Automated provisioning and depovisioning
  Familiarize yourself with Bill.com to successfully grant and revoke crew-cut access automatically within the service. This is vital for JIT Access as it reduces dependence on people to make time. Automated depovisioning of access is a core principle of JIT access and the least privilege access (LPOL). Ideally, manage all permissions in one place, without having to construct or manage a unique environment for every app.
• Access methods
  For Bill.com JIT Access, APIs are recommended due to their adaptability and real-time capabilities. Nonetheless, a mixture may be necessary, such as using SAML for authentication, SCIM for user provisioning, and APIs for precise access controls.

3. Maintenance.

• Regular audits
  Regularly review access logs to confirm JIT access is functioning as planned. Look for unconventional patterns or behaviors, either directly or by feeding the logs into your SIEM. Automate the user access review process for quicker collection of evidence and to ensure compliance.
• User training
  Train users, particularly privileged users, about the significance of minimum privilege, JIT Access, and how it operates. Make sure users know how to request access as required.
• Feedback loop
  Regularly review your JIT access methods. Ask users and IT staff for feedback to determine areas of improvement.

By utilising this organised approach, you'll effectively implement a robust Just-In-Time Access system for Bill.com.