Configure temporary access in Lightrun¶

^{Required roles: Company Admin | Group Admin}

The Lightrun Temporary Access feature allows administrators to generate temporary time-bound permissions for accessing sensitive agent pools for predetermined periods. Temporary access provides an "as-needed" mechanism to grant time-limited access for specific users, which is useful for developers needing short-term access, such as on-call production support. Applying temporary access protects production environments while providing developers the agility they need to resolve critical issues or support customer needs promptly.

Temporary access is valuable for organizations with policies and regulations that restrict access to sensitive environments as it ensures permissions are granted only for the minimal necessary period. This capability allows these companies to automate the provision of elevated permissions and manage them with existing processes and systems external to Lightrun.

Lightrun supports the following methods for configuring temporary access:

• Configure temporary access in the Lightrun Management Portal

• Configure temporary Access using Lightrun REST API

  Note that temporary access instances created using the REST API will automatically appear in the Temporary Access page in the Lightrun Management Portal.

Rules and guidelines¶

• User roles: Roles assigned on the user level determine what users can do in the temporary access instance.

• User limit: Up to 50 users can be granted temporary access in a single grant.

• Number of concurrent grants: A maximum of 100 concurrent temporary access grants are allowed simultaneously. Requests exceeding this limit will be denied.

• Access expiration period: Access rights should be time-bound, ensuring they are automatically revoked once no longer needed. Temporary access can be granted for a period of up to 31 days. Requests for a longer time period will be denied.

• Agent Pool limit per grant: A single temporary access session can grant access to a maximum of 20 agent pools.

• Users cannot be removed from an active temporary instance. To exclude specific users, delete the instance and recreate it without including those users.

Prerequisites¶

Do the following before configuring temporary access:

1. RBAC Security: Ensure that Role-Based Access Control (RBAC) features are enabled on your platform.

2. Agent Pools: Create the necessary agent pools for your engineering groups, as they will be used for debugging.

3. Agent Pool ID: You will need the Agent Pool ID when setting temporary access on agent pools.

   To retrieve the Agent Pool IDs, run the Get api/v1/agent-pool command to get a list of all agent pools.

4. Ensure that the users are listed in the User Management page prior to granting temporary access. For more information, see Manage Users.

Configure a temporary access instance¶

1. Log in to your Lightrun account.
2. Click Settings in the Lightrun Management Portal menu bar.

3. Navigate to Identity and Access Management > Temporary Access.

   The Temporary Access page opens.

   

4. Click + Grant new temp access.

   The Temporary Access dialog opens.

   

5. In the Name field, provide an intuitive name for the temp access instance to help you identify and keep track. For example include the user name and expiration time or date.

6. In the Expiration field, set the expiration time of the temporary access instance. You can define it in Days, Hours, or use Custom. The Custom option lets you specify an exact expiration date and time.

7. Select the Allows members to ignore quota checkbox to let users to override ignore quota limits set on the Lightrun agent.

8. In the Agent Pools tab, click +Add.

   The Add Agent Pool dialog opens.

   

9. In the Add users field, click +Add.

   

   Tip: Use the search if you have many users in your organization.

10. Click Save.

Delete a temporary access instance¶

An active temporary Access instance cannot be modified. We recommend deleting the active temporary Access instance in the Lightrun Management Portal and then recreate it.

1. Log in to your Lightrun account.
2. Click Settings in the Lightrun Management Portal submenu.

3. Navigate to Identity and Access Management > Temporary Access.

   The list of active Temp Access instances is displayed.

   

4. From the list, select an instance to be deleted. For example, Staging.

   

5. Click Delete temporary access.

   The Temporary Access instance will be removed from the list.

Configure temporary access using the Lightrun REST API¶

The following temporary access REST APIs are supported and are described in detail in the Lightrun REST API:

• Grant temporary access REST API: Grants temporary access to a specific agent pool for the specified period of time.

• Revoke temporary access REST API: Revokes JIT access to an agent pool.

• Get temporary access List REST API: Retrieves a list of all active JIT accesses currently set in the organization.

To learn more about the Lightrun REST API conventions, see Lightrun public REST API.