# Just-Enough-Access (JEA) Patterns One-sentence definition: Constrain what an elevated user can do to only the commands/tasks required. ## Key Facts - Command whitelists; role-scoped permissions; session recording. - Deny interactive shells where possible; expose task-based interfaces. - Pair with JIT and SoD; audit every elevation event. - Test least privilege regularly to avoid drift/over-broad grants. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose JEA to reduce blast radius of admin sessions. **Mnemonic:** “**Enough** and no more.” ## Mini Scenario Q: Helpdesk needs password reset but not group edits—solution? A: JEA role enabling reset-only commands. ## Revision Checklist - Two enforcement methods. - Link with JIT. - Audit requirement. ## Related [[Privileged Access Management (PAM) and JIT JEA]] · [[Least Privilege and Separation of Duties]] · [[Entitlement Management and SoD Conflicts]] · [[Access Reviews and Certification (IGA)]] · [[IdP Hardening and High Availability]] · [[Domain 5 - Index]]