Support mapping of PAM ephemeral accounts to Endpoint Protector groups

What is a one sentence summary of your feature request?

Allow ephemeral (JIT) accounts created via NPS to inherit or map to Endpoint Protector groups for proper access control during elevated sessions.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

The customer is transitioning away from persistent AD admin accounts and adopting a security model based on ephemeral (just-in-time) accounts created through Netwrix Privilege Secure.
However, Endpoint Protector currently relies on static user/group structures and manual LDAP synchronization, which prevents ephemeral accounts from being recognized or mapped to appropriate access control groups.
The customer’s goal is to ensure that when a technician temporarily elevates privileges using an ephemeral account, that account automatically inherits the correct permissions in Endpoint Protector (e.g., based on role or predefined group mapping).
Without this capability, there is no consistent way to enforce endpoint security policies for users operating under ephemeral accounts, creating a disconnect between identity management (NPS) and endpoint control (EPP).
Given both solutions are part of the Netwrix portfolio, the expectation is tighter integration that allows dynamic account recognition and group-based policy enforcement across products.

How do you currently solve the challenges you have by not having this feature?

The customer must maintain persistent AD admin accounts to ensure compatibility with Endpoint Protector, even after implementing PAM for ephemeral access.
This undermines their security strategy by:
-Increasing attack surface
-Preventing full adoption of just-in-time access
-Creating parallel account management overhead

Hello Maciej,

Thank you for taking the time to share your feature request!

Please allow us to carefully review this scenario with our team and provide a response as soon as it’s available. If there are additional details required from your side—we will let you know.

However, be informed that getting back with an update might take a while. Thank you for the patience!

Regards,
Simona

Hi Maciej,

Thanks for putting this together. I think this is a valid request.

The customer is essentially asking for Endpoint Protector to recognize short-lived identities created during a Privilege Secure session and apply the right EPP permissions at that moment, without forcing them to keep persistent admin accounts around. That is a meaningful integration gap rather than a small product tweak.

We’ve looked at this area before, and supporting it properly would require tighter coordination between Netwrix Privilege Secure and Endpoint Protector around account lifecycle and group mapping during elevated sessions. Because of that, this is not something we expect to address in the near term.

We do see the value, especially for customers trying to move fully to just-in-time access and eliminate persistent privileged accounts. We’ve captured the request and will keep it under review for our longer-term roadmap.

Thanks as well for describing the operational and security impact so clearly — that context is very helpful.

Best,
Mihai