What is a one sentence summary of your feature request?
Allow ephemeral (JIT) accounts created via NPS to inherit or map to Endpoint Protector groups for proper access control during elevated sessions.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
The customer is transitioning away from persistent AD admin accounts and adopting a security model based on ephemeral (just-in-time) accounts created through Netwrix Privilege Secure.
However, Endpoint Protector currently relies on static user/group structures and manual LDAP synchronization, which prevents ephemeral accounts from being recognized or mapped to appropriate access control groups.
The customer’s goal is to ensure that when a technician temporarily elevates privileges using an ephemeral account, that account automatically inherits the correct permissions in Endpoint Protector (e.g., based on role or predefined group mapping).
Without this capability, there is no consistent way to enforce endpoint security policies for users operating under ephemeral accounts, creating a disconnect between identity management (NPS) and endpoint control (EPP).
Given both solutions are part of the Netwrix portfolio, the expectation is tighter integration that allows dynamic account recognition and group-based policy enforcement across products.
How do you currently solve the challenges you have by not having this feature?
The customer must maintain persistent AD admin accounts to ensure compatibility with Endpoint Protector, even after implementing PAM for ephemeral access.
This undermines their security strategy by:
-Increasing attack surface
-Preventing full adoption of just-in-time access
-Creating parallel account management overhead