> ## Documentation Index
> Fetch the complete documentation index at: https://docs.repacket.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Just-in-Time Exceptions

> Allow temporary access to blocked categories when needed

<Note>
  Just-in-Time (JIT) Exceptions provide a flexible way to grant temporary access to blocked resources while maintaining security policies.
</Note>

## Overview

Just-in-Time Exceptions allow users to request temporary access to websites or [categories](/config/categories) that are blocked by your [Firewall rules](/modules/firewall). This feature provides a balance between security and productivity, enabling legitimate business needs while maintaining your organization's security posture.

<CardGroup cols={2}>
  <Card title="User-Initiated Requests" icon="user-plus" color="#07edb5">
    Users can request temporary access directly from the block page
  </Card>

  <Card title="Time-Limited Access" icon="hourglass" color="#07edb5">
    Exceptions automatically expire after a configured duration
  </Card>

  <Card title="Administrator Review" icon="user-shield" color="#07edb5">
    Admins can review, approve, or deny exception requests
  </Card>

  <Card title="Audit Trail" icon="file-lines" color="#07edb5">
    All exception requests and approvals are logged for compliance
  </Card>
</CardGroup>

## How It Works

Just-in-Time Exceptions provide a workflow for users to request temporary access to blocked resources. The process involves:

1. **Configuration**: Administrators enable exception requests in [Firewall rules](/modules/firewall)
2. **User Request**: Users encounter a block and can request an exception with a business justification
3. **Administrator Review**: Requests appear in the admin dashboard for review
4. **Temporary Access**: Approved exceptions grant access to the blocked resource

## User Experience: Requesting Exceptions

When users encounter a blocked website or [category](/config/categories), they see a block page with an option to request an exception. Users can click to request temporary access and provide a business justification for their request.

<Frame>
  <img src="https://mintcdn.com/repacket/HqLisnV_GzF7RKCn/images/exception-request-block.png?fit=max&auto=format&n=HqLisnV_GzF7RKCn&q=85&s=e381d8e1e445fc847a2302922d89b68c" alt="" width="1190" height="616" data-path="images/exception-request-block.png" />
</Frame>

### How Users Request Exceptions

1. **User encounters a block**: When a [Firewall rule](/modules/firewall) blocks access, users see the block page
2. **Request exception**: Users click the "Request Access" button on the block page
3. **Provide justification**: Users can optionally provide a business justification explaining why they need access
4. **Submit request**: The request is submitted and appears in the admin dashboard for review

## Managing Exception Requests

Administrators can review and manage exception requests from the [Exceptions dashboard](https://app.repacket.com/gateway#exceptions). The table displays all exception requests with their current status, and clicking on a request opens a panel where you can review details and take action.

The exception request table shows all requests that have been approved, denied, or are ready for review:

<Frame>
  <img src="https://mintcdn.com/repacket/HqLisnV_GzF7RKCn/images/exception-request-table.png?fit=max&auto=format&n=HqLisnV_GzF7RKCn&q=85&s=bde351bb199b715a30f041f89728bb35" alt="" width="2524" height="674" data-path="images/exception-request-table.png" />
</Frame>

Clicking on any request in the table opens a details panel where you can review the request and take action to approve or deny it:

<Frame>
  <img src="https://mintcdn.com/repacket/HqLisnV_GzF7RKCn/images/exception-request-form.png?fit=max&auto=format&n=HqLisnV_GzF7RKCn&q=85&s=aa93b7fb46426334aa96029c164fd601" alt="" width="2204" height="1618" data-path="images/exception-request-form.png" />
</Frame>

<Steps>
  <Step title="Navigate to Exceptions">
    Go to the [Gateway section](https://app.repacket.com/gateway#exceptions) in your Repacket dashboard and select the "Exceptions" tab.
  </Step>

  <Step title="View exception requests">
    The table displays all exception requests showing:

    * User who made the request
    * Requested resource (domain or category)
    * Status (Pending, Approved, Denied)
    * Timestamp
    * Business justification (if provided)
  </Step>

  <Step title="Review request details">
    Click on any exception request in the table to open the details panel. The panel shows complete information about the request, including the user, resource, category, justification, and timestamp.
  </Step>

  <Step title="Approve or deny requests">
    From the details panel, you can:

    * **Approve**: Approve the request with a custom duration. Set how long the exception should last (e.g., 1 hour, 4 hours, 1 day)
    * **Deny**: Deny requests that don't meet your security policy
  </Step>

  <Step title="Monitor active exceptions">
    View all active exceptions and their expiration times to track temporary access across your organization. Active exceptions are automatically removed when they expire.
  </Step>
</Steps>

## Best Practices

<AccordionGroup>
  <Accordion title="Require Business Justification">
    Configure JIT exceptions to require users to provide a business justification when requesting access. This helps administrators make informed decisions and creates an audit trail.
  </Accordion>

  <Accordion title="Set Appropriate Durations">
    Use shorter durations (1-4 hours) for high-risk [categories](/config/categories) and longer durations (1 day) for lower-risk [categories](/config/categories) that may have legitimate business uses.
  </Accordion>

  <Accordion title="Review Exception Patterns">
    Regularly review exception requests to identify patterns. If certain [categories](/config/categories) or domains are frequently requested, consider creating permanent exceptions or adjusting your [Firewall rules](/modules/firewall).
  </Accordion>

  <Accordion title="Use Role-Based Auto-Approval">
    For trusted user groups or low-risk [categories](/config/categories), consider enabling auto-approval to reduce administrative overhead while maintaining security.
  </Accordion>

  <Accordion title="Monitor Exception Usage">
    Track which users and groups request the most exceptions to identify training opportunities or policy adjustments.
  </Accordion>
</AccordionGroup>

## Related Features

<CardGroup cols={2}>
  <Card title="Firewall" icon="filter" href="/modules/firewall">
    Control internet access with granular access rules
  </Card>

  <Card title="User Management" icon="users" href="/config/entities">
    Manage users and groups for exception handling
  </Card>

  <Card title="Custom Categories" icon="folder-plus" href="/config/categories">
    Create your own categories for more granular control
  </Card>

  <Card title="Protections" icon="shield-halved" href="/modules/protections">
    Layer additional security protections on top of [firewall rules](/modules/firewall)
  </Card>
</CardGroup>

## Exception Rules Table

The Exception Rules table provides a comprehensive view of all exception requests and their current status. This table helps administrators track which denied requests are still active and monitor the overall exception landscape across your organization.

<Frame>
  <img src="https://mintcdn.com/repacket/HqLisnV_GzF7RKCn/images/exception-rules.png?fit=max&auto=format&n=HqLisnV_GzF7RKCn&q=85&s=d9a461ef6936daaef60b37c617e819f9" alt="" width="2656" height="676" data-path="images/exception-rules.png" />
</Frame>

The Exception Rules table displays:

* **Request Details**: User, requested resource, category, and business justification
* **Status**: Current status of each exception request (Pending, Approved, Denied)
* **Timestamps**: When requests were made and last updated
* **Active Exceptions**: Shows which denied requests are still active and need attention

Use this table to:

* Review all exception requests in one place
* Identify which denied requests remain active
* Monitor exception patterns and trends
* Track the lifecycle of exception requests from submission to expiration
