Introduction
Just-in-Time (JIT) Elevated Privileged Access:
- Elevated privileges allow you to install, and modify software, and system settings on your Michigan Medicine CoreImage Windows device(s)
- Approvals are up to your department's Responsible Persons discretion/judgement
- Allows a user to obtain Privileged Access on approved device(s)
- Privileged Access is activated for approved devices for 4 hours at a time
- Once obtained, a user may activate Privileged Access on demand until the Approval Expiration date
- JIT Activation is dependent on taking the Cornerstone course. Once the Training Good Through date expires, the user must retake the Cornerstone Learning course
- Once you get close to your expiration date, you will receive an email from NoReply-MMCornerstone@csod.com with instructions on how to retake the Cornerstone Learning course
- A user does not require elevated privileged access to install any software that is part of the Michigan Medicine CoreImage. The list of all the approved software can be found here: KB0023347: CoreImage - Application Packages
- Reimaged devices cause an issue with JIT that needs to be manually fixed. To fix a reimaged device, a request needs to be sent to the Identity and Access Management team entitled "Reimaged device fix request"
Process Overview
Topics:
Instructions
How to Create and Manage Your Just-in-Time (JIT) Elevated Privileged Access
I. Requesting New Access
When you attempt to elevate privileges on a CoreImage device, you will see the following dialog box.
1. Click on the link to the Michigan Medicine User Profile Page
2. Click the Privileged Access Management tab
3. Click the Request Privileged Access button and fill out the form including the Device Name and Reason
- Note: After submitting the request, you may need to manually refresh your screen to see the update.
4. Wait for Approval.
- Note: All approvals will go to the Responsible Person (RP) of the department (typically the user's Direct Manager). The users should receive an approval e-mail after the RP approves the request. The user can also check the status of their request (pending/approved) via the Michigan Medicine User Profile Page.
- The Responsible Person (RP) will receive the following e-mail:
- You (the requester) will receive the following email after your department's Responsible Person (RP) approves:
II. Completing Training
A notification e-mail from Cornerstone Learning, NoReply-MMCornerstone@csod.com, will be sent to you stating that your training was assigned to you with instructions on how to complete the training.
NOTE: The Learning Management System processes these request overnight so you will not receive this email until the following day after the approval.
III. Activating Access
1. After you have been approved and completed the training, navigate to your Michigan Medicine User Profile Page.
- Note: It could take a few minutes for your approved assignment to show up after completing the Cornerstone training
- Note: You may need to sign onto the Michigan Medicine network (VPN) or be on MFleet to access the User Profile page
2. Click the Privileged Access Management Tab.
3. Click the blue Activate button to activate for the corresponding Device Name.
Note: If you receive an error similar to device cannot be found, complete the following:
- Right click CyberArk Endpoint Privilege Manager Agent in your system tray.
- Request Settings on the Menu
- Click Yes Button
- Try to activate your admin rights again
4. Once you have activated your access, you will receive the following dialog box notification.
- Note: It may take about five minutes after invoking JIT for access to be granted.
5. You will receive the following Windows pop-up message 5 minutes before your access will expire.
Related Information
KB0014337: Michigan Medicine User Profile Page (UPP)
KB0019583: Support Process Map for requesting Just in Time (JIT) Elevated Privileged Access