{"slug":"just-in-time-access","title":"Just-in-time access","tags":["tailscale","access-control"],"agent_summary":"Last validated: May 2, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Just-in-time access\r\n\r\nLast validated: May 2, 2025\r\n\r\nTailscale provides several ways for you to provide just-in-time (JIT) access to resources in your Tailscale network (known as a tailnet). For example, you can provide an appropriate level of access to an engineer for a limited amount of time so they can perform maintenance on a server.\r\n\r\nJIT access works in conjunction with access control policies to determine access for users and devices in your tailnet. You manage access control policies in the [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file). For JIT access, you use automation to provide access to someone for a limited time, allowing them to perform a task. There are a few ways to achieve this.\r\n\r\n## [Provide just-in-time access](https://tailscale.com/docs/features/access-control/just-in-time-access\\#provide-just-in-time-access)\r\n\r\nTailscale lets you manage JIT access to network resources based on device posture attributes, which are key-value pairs of data attached to devices that can be used as part of the tailnet policy file.\r\n\r\n[**Use device posture for just-in-time access** \\\\\r\n\\\\\r\nUse device posture for just-in-time access to resources in your tailnet.](https://tailscale.com/docs/features/tailscale-accessbot-jit)\r\n\r\nTailscale partners with other companies for JIT access workflow integrations.\r\n\r\n[**Third-party integrations for JIT access** \\\\\r\n\\\\\r\nUse third-party integrations for just-in-time access, also known as on-demand access, to your Tailscale network.](https://tailscale.com/docs/integrations/jit-access)\r\n\r\nThe Tailscale API lets you manage tailnet policy files, including for JIT access. For details, refer to the [Policy File](https://tailscale.com/api#tag/policyfile) section in the Tailscale API documentation.\r\n\r\n[**Tailscale API** \\\\\r\n\\\\\r\nExplore the Tailscale application programming interface (API).](https://tailscale.com/docs/reference/tailscale-api)\r\n\r\nTailscale lets you manage access to network resources based on [group membership](https://tailscale.com/docs/features/user-group-provisioning#syncing-group-membership) by syncing groups from SCIM-integrated identity providers to Tailscale.\r\n\r\n[**Supported SSO identity providers** \\\\\r\n\\\\\r\nTailscale works on top of the IdP or SSO provider you already use. Leverage the capabilities of these providers for secure access, including passkeys, 2FA, and MFA.](https://tailscale.com/docs/integrations/identity)\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Just-in-time access</h1>\n<p>Last validated: May 2, 2025</p>\n<p>Tailscale provides several ways for you to provide just-in-time (JIT) access to resources in your Tailscale network (known as a tailnet). For example, you can provide an appropriate level of access to an engineer for a limited amount of time so they can perform maintenance on a server.</p>\n<p>JIT access works in conjunction with access control policies to determine access for users and devices in your tailnet. You manage access control policies in the <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a>. For JIT access, you use automation to provide access to someone for a limited time, allowing them to perform a task. There are a few ways to achieve this.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/just-in-time-access#provide-just-in-time-access\">Provide just-in-time access</a></h2>\n<p>Tailscale lets you manage JIT access to network resources based on device posture attributes, which are key-value pairs of data attached to devices that can be used as part of the tailnet policy file.</p>\n<p><a href=\"https://tailscale.com/docs/features/tailscale-accessbot-jit\"><strong>Use device posture for just-in-time access</strong> \\\r\n\\\r\nUse device posture for just-in-time access to resources in your tailnet.</a></p>\n<p>Tailscale partners with other companies for JIT access workflow integrations.</p>\n<p><a href=\"https://tailscale.com/docs/integrations/jit-access\"><strong>Third-party integrations for JIT access</strong> \\\r\n\\\r\nUse third-party integrations for just-in-time access, also known as on-demand access, to your Tailscale network.</a></p>\n<p>The Tailscale API lets you manage tailnet policy files, including for JIT access. For details, refer to the <a href=\"https://tailscale.com/api#tag/policyfile\">Policy File</a> section in the Tailscale API documentation.</p>\n<p><a href=\"https://tailscale.com/docs/reference/tailscale-api\"><strong>Tailscale API</strong> \\\r\n\\\r\nExplore the Tailscale application programming interface (API).</a></p>\n<p>Tailscale lets you manage access to network resources based on <a href=\"https://tailscale.com/docs/features/user-group-provisioning#syncing-group-membership\">group membership</a> by syncing groups from SCIM-integrated identity providers to Tailscale.</p>\n<p><a href=\"https://tailscale.com/docs/integrations/identity\"><strong>Supported SSO identity providers</strong> \\\r\n\\\r\nTailscale works on top of the IdP or SSO provider you already use. Leverage the capabilities of these providers for secure access, including passkeys, 2FA, and MFA.</a></p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}