Just Enough Admin (JEA) Pattern

Admins get exactly what they need. The pattern.

What JEA solves

Standing admin privilege is the highest-risk credential pattern. Compromise of one admin account gives total access. JEA replaces standing admin with narrow, time-bounded elevation: each session grants only the permissions needed for the specific task, for the specific duration, with an audit trail.

• Narrow scope. Each elevation grants only what the task needs; the blast radius of a compromise during the elevation is bounded.
• Time-bounded sessions. Sessions expire automatically; standing admin is replaced by on-demand access that lapses on its own.
• Policy plus tooling. Policy: no engineer has standing admin; tooling: a system that grants narrow elevation on request.
• Audit trail by default. Each elevation is logged with task and duration; produces evidence for security review.

Scoping elevations

Scope is what makes JEA real. A wide elevation is barely better than standing admin; the discipline is to scope each elevation to the specific task, bound the duration, and tag the elevation with the ticket or incident that justifies it.

• Per-task scopes. Database emergency: that database, not all databases; cluster debugging: that cluster context, not multi-cluster admin.
• Time-bounded. 1-4 hours typical; the session expires automatically; the engineer requests a new one if more time is needed.
• Audit-tagged. Each elevation links to a ticket, incident, or written justification; the audit trail records why.
• Per-resource scope. Per-database, per-cluster, per-account; the narrow scope is the security primitive.

Approval flow

Approval friction must match the stakes. Routine elevations get peer approval; high-stakes elevations need manager or security; emergencies have a documented break-glass path that logs immediately and is reviewed within 24 hours.

• Routine: peer approval. A teammate confirms the request is legitimate; friction is small, security is meaningful.
• High-stakes: manager or security. Production root, payment systems, customer data; higher stakes, more eyes.
• Emergency override. Documented break-glass procedure; logged immediately to security; reviewed within 24 hours.
• Per-elevation policy. The approval tier is documented per scope class; supports consistency across teams.

Tooling

JEA is only as good as the tooling that grants the elevation. AWS SSO with permission sets, HashiCorp Vault dynamic secrets, and enterprise-grade options like Teleport or BeyondTrust each cover different surfaces; the discipline is to pick one for each surface and standardise.

• AWS SSO with permission sets. Time-bounded sessions via STS AssumeRole; matches the cloud admin surface.
• HashiCorp Vault dynamic secrets. Vault generates database credentials on demand; revokes when the session expires.
• Teleport, BeyondTrust, CyberArk. Enterprise options with session recording, centralised audit, automated approval workflows.
• Per-surface standardisation. One tool per surface (cloud, database, infra); avoids parallel JEA stacks that drift.

Operating JEA

JEA needs operational discipline to stay healthy. New engineers default to no elevations; standing privileges are converted one at a time; elevation request volume is tracked so the workflow stays fast enough for emergencies without becoming a rubber stamp.

• Onboarding default. New engineers default to no elevations; each is a deliberate addition.
• Quarterly review. Standing privileges identified and converted to JEA one at a time; the migration is incremental.
• Track request volume. Routine pattern is healthy; bursts during incidents indicate the workflow is too slow for emergencies.
• Per-team JEA metrics. Elevation count, approval latency, audit coverage; supports continuous improvement of the workflow.