[GH-ISSUE #5024] [Feature Request]: Easier auditing for JiT Admin usage #2384

New issue

Closed

opened 2026-03-02 13:51:52 +03:00 by kerem · 2 comments

kerem commented 2026-03-02 13:51:52 +03:00

Owner

Copy link

Originally created by @mruiterhype on GitHub (Nov 28, 2025).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/5024

Please confirm:

• I have searched existing feature requests (open and closed) and found no duplicates.
• **me or my organization is currently an active sponsor of the product at the $99,- level.

Problem Statement

Since we moved away from global admin accounts and started using GDAP for client management, our support technicians rely on JiT (Just-in-Time) admin roles to fill the gaps GDAP leaves. The challenge is auditing these JiT admin assignments.
Right now, we use the logbook to filter and report which JiT admins were created, why (the “Reason” field), for whom, and for how long. This process is time-consuming because our ISO Security Officer has to set up the same filters every time to review last month’s JiT admins.
Alternatively, we can check JiT deletion tasks in the scheduler, but that doesn’t show the reason or timeframe. Plus, a user could delete the task after creation, and we’d never know unless we also check the logbook.

In short: auditing JiT admin usage is manual, repetitive, and prone to gaps.

Suggested Implementation

• Add a JiT Admin Report under the Reports section in Identity Management.
• Or, add a filter on the JiT Admin page to list JiT admins created in the past 30 days, including:
  • Reason
  • Timeframe
  • Who created it
• Bonus: Provide a Get-JitAdmins function so MSPs can automate sending these reports to their security teams.

Benefits for MSPs

• Reduces manual work: No more repetitive filtering in the logbook or cross-checking multiple places.
• Improves security: Makes it easier to track temporary elevated permissions and ensure compliance.
• Adds clarity: A dedicated report or filter would give MSPs a clear overview of JiT admin activity.
• Supports automation: If exposed via a function like Get-JitAdmins, MSPs could schedule reports and send them automatically to security officers.

Sponsoring via https://github.com/hypecipp

Value or Importance

This feature is highly valuable for MSPs focused on security and compliance. JiT admin roles are powerful, and auditing their use is critical for ISO and internal security reviews.
Right now, the process is inefficient and error-prone. A dedicated JiT admin report or filter would save significant time, reduce risk, and make audits much smoother. Even if implemented as a simple filter it would add notable value.

PowerShell Commands (Optional)

No response

Originally created by @mruiterhype on GitHub (Nov 28, 2025). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/5024 ### Please confirm: - [x] **I have searched existing feature requests** (open and closed) and found no duplicates. - [x] **me or my organization is currently an active sponsor of the product at the $99,- level. ### Problem Statement Since we moved away from global admin accounts and started using GDAP for client management, our support technicians rely on JiT (Just-in-Time) admin roles to fill the gaps GDAP leaves. The challenge is auditing these JiT admin assignments. Right now, we use the logbook to filter and report which JiT admins were created, why (the “Reason” field), for whom, and for how long. This process is time-consuming because our ISO Security Officer has to set up the same filters every time to review last month’s JiT admins. Alternatively, we can check JiT deletion tasks in the scheduler, but that doesn’t show the reason or timeframe. Plus, a user could delete the task after creation, and we’d never know unless we also check the logbook. In short: auditing JiT admin usage is manual, repetitive, and prone to gaps. **Suggested Implementation** - Add a JiT Admin Report under the Reports section in Identity Management. - Or, add a filter on the JiT Admin page to list JiT admins created in the past 30 days, including: - Reason - Timeframe - Who created it - Bonus: Provide a Get-JitAdmins function so MSPs can automate sending these reports to their security teams. ### Benefits for MSPs - Reduces manual work: No more repetitive filtering in the logbook or cross-checking multiple places. - Improves security: Makes it easier to track temporary elevated permissions and ensure compliance. - Adds clarity: A dedicated report or filter would give MSPs a clear overview of JiT admin activity. - Supports automation: If exposed via a function like Get-JitAdmins, MSPs could schedule reports and send them automatically to security officers. Sponsoring via https://github.com/hypecipp ### Value or Importance This feature is highly valuable for MSPs focused on security and compliance. JiT admin roles are powerful, and auditing their use is critical for ISO and internal security reviews. Right now, the process is inefficient and error-prone. A dedicated JiT admin report or filter would save significant time, reduce risk, and make audits much smoother. Even if implemented as a simple filter it would add notable value. ### PowerShell Commands (Optional) _No response_

kerem 2026-03-02 13:51:52 +03:00

• closed this issue
• added the
  enhancement
  no-priority
  no-activity
  not-assigned
  labels

kerem commented 2026-03-02 13:51:53 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Dec 8, 2025):

This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

<!-- gh-comment-id:3624204630 --> @github-actions[bot] commented on GitHub (Dec 8, 2025): This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

kerem commented 2026-03-02 13:51:53 +03:00

Author

Owner

Copy link

@KelvinTegelaar commented on GitHub (Dec 13, 2025):

added in dev

<!-- gh-comment-id:3649879007 --> @KelvinTegelaar commented on GitHub (Dec 13, 2025): added in dev

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dev

docs

dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42

dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2

dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0

dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2

dependabot/npm_and_yarn/dev/recharts-3.8.1

dependabot/github_actions/dev/actions/setup-node-6.4.0

copilot/add-alert-for-report-only-ca

release/beta

release/nightly

docs-maintenance

v10.4.0

v10.3.0

v10.2.0

v10.1.0

v10.0.0

v8.8.0

v8.7.0

v8.6.0

v8.5.0

v8.4.0

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.5.0

v7.4.0

v7.3.0

v7.2.0

v7.1.0

v7.0.1

v6.4.0

v6.3.0

v6.2.0

v6.1.0

v6.0.0

v5.9.0

v5.8.5

v5.8.0

v5.7.0

v5.6.0

v5.5.0

v5.4.0

v5.3.0

v5.2.0

v5.1.0

v5.0.0

v4.9.0

v4.8.0

v4.7.0

v.4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.0

v3.7.0

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.0

v2.20.0

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.13.0

v2.12.0

v2.11.2

v2.1.11.0

v.2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.5

v2.5.0

v2.4.0

v.2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

2.0.0

v1.5.1

v1.5.0

v1.4.3

v1.4.2

v1.4.0

v1.3.0

v1.2.1

v1.2.0

1.1.0

release

Labels

Clear labels   

API

  

Feature

  

NotABug

  

NotABug

  

Planned

  

Sponsor Priority

  

Sponsor Priority

  

bug

  

documentation

  

duplicate

  

enhancement

  

needs more info

  

no-activity

  

no-priority

  

not-assigned

  

pull-request

Mirrored from GitHub Pull Request

  

react-conversion

  

react-conversion

  

roadmap

  

security

  

stale

  

unconfirmed-by-user

  

unconfirmed-by-user

  

wontfix

No labels

API

Feature

NotABug

NotABug

Planned

Sponsor Priority

Sponsor Priority

bug

documentation

duplicate

enhancement

needs more info

no-activity

no-priority

not-assigned

pull-request

react-conversion

react-conversion

roadmap

security

stale

unconfirmed-by-user

unconfirmed-by-user

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#2384

No description provided.