1. Planning.

• Assessment
  Start by pinpointing those who require access, the resources needed, and the purpose. Document the present access rights and evaluate if they can be reduced or erased. For superior visibility, consider using an entitlement discovery tool.
• Policy creation
  Formulate explicit policies for granting and rescinding access. Include guidelines stating who can request for access, under what situations, and for how long, especially for privileged roles with time-bound parameters.
• Source of truth
  Synchronize your JIT access system with an Identity Provider (e.g., Okta, Google Workspace, Azure AD, OneLogin). The provider will be the established source for identities. Choosing to increase or decrease individual identities instead of shared accounts will lead to better control of authorization and precision in auditing.

2. Execution.

• Self-serve access requests
  Streamline the process by allowing users to request access through the system, not via people. Improve adoption rates by incorporating IM platforms like Slack or MS Teams. Ensure that requests state who’s asking, the needed service/resource/role, duration, and reason.

• Approval process
  JIT access affords an opportunity for organizations to assign approvals to people possessing the business context. Resource owners and business unit managers often have this better than IT helpdesks. Use messaging platforms for prompt responses, providing approvers all crucial information for a decision.

• Conditional approval workflows
  Incorporate your preset policies into workflows determining access permissions. Insert them into workflows directing who can access what and under what conditions. One effective method is by allotting if-then conditions. IF identity group “X” requests access to “Y”, get approval from “Z” and inform “M”.

• Integrations
  Contemplate integrating JITA with other IT and security systems for more versatility; Integrate with IT ticketing systems for automated access based on the ticket status. Connect with data classification systems to modify policies based on data sensitivity. Ideally, you should be able to group resources together which can expedite this process. Team up with on-call schedule software for automated approvals during emergencies. Collaborate with training systems to grant access based on training completion.
• Automated provisioning and deprovisioning
  Gain a deep understanding of OneLogin to efficaciously grant and revoke access automatically within the service. This is critical for JIT Access as it lessens the dependence on people having the availability. It enables automated deprovisioning of access, lying at the heart of JIT access and the principle of least privilege access (POLP). Ideally, all permissions will be managed in a single location, obviating the need to create or manage an environment for every application in the organization.
• Access methods
  For OneLogin JIT Access, APIs are ideal due to their adaptability and real-time functions. However, a combination might be required. For instance, using SAML for authentication, SCIM for user provisioning, and APIs for accurate access control decisions.

3. Maintenance.

• Regular audits
  Frequently review access logs to confirm that JIT access functions as designed. Check for any unusual patterns or actions either directly or by inserting the logs into your SIEM. The user access review process can be automated to quicken evidence gathering, delegate reviewers, and ensure your system adhers to relevant industry regulations or standards.
• User training
  Instruct users, particularly privileged users, on the importance of least privilege, JIT Access, and their functioning. Ensure users know how to request access when it is required.
• Feedback loop
  Consistently review your JIT access procedures. Obtain feedback from users and IT staff to comprehend where enhancements are possible.

Implementing this structured approach will enable efficient establishment of a robust Just-in-Time Access system for OneLogin.