managing twingate

Quick Start

Automated Deployment

Connectors

Resources

Remote Networks

Best Practices

JIT Access Requests

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Aliases

Kubernetes

Route Traffic from Kubernetes

Manage Kubernetes using kubectl

Private Resources in Kubernetes

Publicly Exposed Resources in Kubernetes

Privileged Access for Kubernetes

Team

Users

Admins

How to Offboard Users

Social Logins

Groups

Identity Providers

Entra ID Configuration

Google Workspace Configuration

JumpCloud Configuration

Keycloak Configuration

Okta Configuration

OneLogin Configuration

SCIM Provisioning API

Security Policies

Location requirements via geoblocking

Security Policies: Migration Guide

Policy Guides

Authentication

Device-only Resource Policies

Trusted Devices

Two-Factor Authentication

Devices

Client Application

Endpoint Requirements

Using Twingate

Managed Devices

Windows Client Migration to .NET 8

macOS & iOS

macOS standalone Client

Windows Managed Devices

Device Administration

1Password XAM Configuration

CrowdStrike Configuration

Device Security Posture Checks

Device Security Guide

Intune Configuration

Jamf Configuration

Kandji Configuration

Linux device ID migration

Manually Verified Devices

SentinelOne Configuration

Services

Headless Clients

Linux Headless Mode

Windows Headless Mode

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Admin Console Export

Audit Logs Schema

Network Traffic

Detailed Network Event Schemas

Network Events Admin Console Export

User Activity

Device Report

Syncing Data to AWS S3

Internet Security

Browser Security

NextDNS Integration

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Customer Network

MSP Billing

Cancel Your Subscription

Notifications

Troubleshooting

Device Failures

DNS Failures

Connector Failures

Firewall Failures

Split Tunnel Failures

additional resources

Help Center ↗

Need help?

Troubleshooting

Changelog

FAQ

Twingate Trust Center

Twingate & Customer Data

DORA Compliance

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

JIT Access Requests

JIT Access Requests allow enabling an audited, just-in-time access workflow to either all or specific Groups assigned to a Resource. The typical use case for this is to audit and limit access to sensitive Resources that should only ever require temporary access. Access requests may either be auto-approved or require explit approval from an approver.

User experience

When Access Requests are enabled for a Group’s assignment to a Resource, Users in that Group will see that they have access to the Resource in the Client. The Resource state will initially be locked, meaning that the User will not be able to access the Resource until access is approved.

Users may request access either by simply accessing the Resource address or selecting “Authenticate” from the Resource’s submenu in the Client. This will trigger loading an access request page in the browser. An example is shown below.

If auto-approval is enabled, Users will be able to access the Resource immediately after submitting their request. If approval is required, the User will receive a notification via email once an Admin or an Access Reviewer has either approved or denied the request.

Configuring Access Requests

Access Requests can be configured both at the Resource level and within specific Group assignments. If configured at the level of the Resource, this becomes the default, inherited access method for all Group assignments. Inidivudal assignments may be overridden.

Below is an example from the Resource detail page showing a default configuration for a Resource for 12-hour access periods with auto-approval.

When configuring Access Requests, the following options are available:

The access period granted for successful requests
The approval method

The screenshot below shows enabling Access Requests at a Resource level:

The access period must next be chosen. If one of the preset options is chosen, all Access Requests will be granted for the configured time period. If “Custom Request” is chosen, Users will be able to request a specific time period at the time of making an Access Request. Any time period up to 7 days is allowed. These options are shown below:

Lastly, an approval method must be chosen. If approval is required, an Admin or Access Reviewer must approve any requests. If “Auto Approval” is chosen, Users may approve themselves, but must supply a reason for access. These are options are shown below:

Tracking Access

To see configuration details and the current status of Users’ access, you can download a summary from the Resource, Group, or User page.

Details are covered on the usage-based access page.

Reviewing Access Requests

Admins and Access Reviewers may view and approve Access Requests for any Resource. Depending on notification configuration, they may receive an email notification or notification in another channel via webhook configuration. Requests may also be reviewed from either the User or Resource pages, or via the notification bell at the top right of the Admin Console page.

Details are covered on the usage-based access page.

Last updated 14 minutes ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

Introduction to DNS

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Exploring the APIs

Introduction to tg CLI (JavaScript)

Introduction to the Python CLI

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Aptible

How to Deploy a Connector on AWS

How to Deploy a Connector on Azure

How to Deploy a Connector on Linux

How to Deploy a Connector on GCP

K8s Helm Chart

Managed Connectors

Updating Connectors

How to Upgrade Connectors Running in AWS/Azure/Docker Containers

K8s Helm Chart Upgrades

Systemd Service Upgrades

Advanced Connector Management

Connector Details

Connector Health Checks

Connector Metadata

Real-time Connection Logs

Deployment Automation

Supporting Unqualified Domain Names

Resources

Remote Networks

Best Practices

JIT Access Requests

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Aliases

Kubernetes

Route Traffic from Kubernetes

Manage Kubernetes using kubectl

Private Resources in Kubernetes

Publicly Exposed Resources in Kubernetes

Privileged Access for Kubernetes

Team

Users

Admins

How to Offboard Users

Social Logins

Groups

Identity Providers

Entra ID Configuration

Google Workspace Configuration

JumpCloud Configuration

Keycloak Configuration

Okta Configuration

OneLogin Configuration

SCIM Provisioning API

Security Policies