Just-in-time administration is used for administering systems and applications.
Grant high-level access only when needed and for limited times to enhance security.
Plain language
Just-in-time administration means giving people access to important parts of the system only when they really need it and for a short time. This is crucial because if someone gets full-time access, a hacker could also sneak in and cause damage, like stealing sensitive data or disrupting business operations.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Just-in-time administration is used for administering systems and applications.
Why it matters
Without just-in-time access, persistent admin privileges create a large attack surface, giving intruders lasting control if an admin account is compromised.
Operational notes
Implement time-bound admin elevation (with approval where needed) and auto-expire privileges after tasks; log and alert on each just-in-time activation for visibility.
Implementation tips
- System administrator should grant temporary access only when specific tasks need to be done by creating an access request each time.
- IT team should monitor access requests and ensure they are only approved by a manager when there's a justified need.
- Security officer should set up automatic expiration of access rights after a predetermined period to ensure they don't remain active longer than necessary.
- IT team should use software tools to track and log every time someone is granted elevated access and make sure it's for legitimate purposes.
- System administrator should ensure that the access provided is limited to the minimum level required for a task to prevent unnecessary exposure.
Audit / evidence tips
-
AskHow do you ensure that administrative access is granted only temporarily?
-
GoodLogs show each request is tied to a specific task and has been approved for a set duration by a manager
-
AskHow do you check if all elevated access rights are appropriately revoked after use?
-
GoodSystem settings show automatic expiration of elevated access after task completion or within a set timeframe
Cross-framework mappings
How E8-RA-ML3.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.18 | E8-RA-ML3.3 requires implementing just-in-time administration so privileged access is only granted when required and expires after a limi... | |
| Annex A 8.2 | E8-RA-ML3.3 requires JIT administration, a specific method for controlling the allocation and use of privileged access by making it time-... | |
| handshake Supports (2) expand_less | ||
| Annex A 8.4 | Annex A 8.4 requires organisations to appropriately manage read and write access to source code, development tools and software libraries | |
| Annex A 8.18 | Annex A 8.18 requires restricting and tightly controlling utilities capable of overriding controls, which implies limiting standing admin... | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires rules and procedures to control access to information and systems based on business and security requirements | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0445 | ISM-0445 requires privileged users to be issued a dedicated privileged account used only for privileged duties | |
| ISM-1508 | E8-RA-ML3.3 requires JIT administration so privileged access is only granted when required and for limited durations | |
| handshake Supports (10) expand_less | ||
| ISM-0441 | E8-RA-ML3.3 requires organisations to grant administrative access only when needed and for limited periods via just-in-time administration | |
| ISM-1006 | ISM-1006 requires security measures to prevent unauthorised access to network management traffic | |
| ISM-1387 | ISM-1387 requires that administrative activities are conducted through jump servers | |
| ISM-1604 | ISM-1604 requires the virtualisation/isolation mechanism to be hardened by removing unneeded functionality and restricting access to the ... | |
| ISM-1688 | E8-RA-ML3.3 requires just-in-time (JIT) administration so privileged access is only granted when needed and for limited periods | |
| ISM-1835 | E8-RA-ML3.3 requires JIT administration so privileged access is only active for short periods when administering systems and applications | |
| ISM-1852 | ISM-1852 requires unprivileged access to systems and resources to be limited to only what is needed for duties | |
| ISM-1927 | ISM-1927 requires limiting access to key Microsoft identity servers (AD DS/CS/FS and Entra Connect) to privileged users who need it | |
| ISM-1939 | ISM-1939 requires that organisations minimise the number of accounts in highly privileged groups (e.g | |
| ISM-1948 | ISM-1948 requires an explicit CA Certificate Manager approval step before enabling SAN-supplying certificate templates in AD CS | |
| link Related (1) expand_less | ||
| ISM-1649 | E8-RA-ML3.3 requires just-in-time (JIT) administration to be used when administering systems and applications, limiting high-level access... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.