Thand Agent Documentation

Open-source distributed privilege access management (PAM) and just-in-time access (JIT) to cloud infrastructure, SaaS applications and local systems.

Get Started Now View on GitHub

What is Thand?

Thand eliminates standing access to critical infrastructure and SaaS apps. Instead of permanent admin rights, users request access when needed, for only as long as needed. The Thand server is extensible, customisable and easy to deploy as a standalone service. Thand is completely decentralized - there is no single point of failure or trust.

The Security Crisis

  • Static credentials get leaked: API keys in repos, AWS keys in logs, service account keys shared in Slack
  • Over-privileged users: 90% of permissions are unused, but remain active attack vectors
  • Automatic grants: Users are often granted access without understanding the implications
  • Lack of visibility: No clear audit trail of who accessed what, when, and why
  • Persistent threats: Users with admin access can maintain access indefinitely

The Thand Solution

  • Zero standing privileges: No permanent admin access anywhere
  • No static credentials: All access is temporary and tied to your identity
  • Just-in-time permissions: Request the access you need, when you need it - and lose it once you’re done
  • Complete audit trail: Every access request and action logged for compliance

Quick Start

Get up and running with Thand in just a few steps. If you are ready to request access then simply install the Agent. Otherwise, follow the guides to configure and deploy Thand for your infrastructure.

  1. Install the Agent - Download and install the Thand Agent
  2. Deploy Thand Server - Set up Thand for your infrastructure
  3. Request Access - Make your first access request

Architecture Overview

The Thand architecture breaks down into three components:

---
config:
  layout: dagre
---
flowchart TD
 subgraph YM["Your Machine"]
        Agent["Thand Agent"]
  end
 subgraph YI["Your Infrastructure"]
        ThandServer["Thand Server"]
        AWS["AWS Agent"]
        GCP["GCP Agent"]
        Azure["Azure Agent"]
  end
 subgraph ThandCloud["Thand Cloud (Optional)"]
        Thand["Thand Cloud"]
  end
    Agent -. HTTPS .-> ThandCloud & ThandServer
    ThandServer -. GRPC .-> Temporal["Temporal"]
    Thand -. HTTPS .-> Temporal
    Temporal -. GRPC .-> AWS & GCP & Azure
  • Agent: Runs on the user’s local machine, provides session management and local callback endpoints
  • Server: Forms a “login server” to allow CLIs and other clients to request and be granted elevations
  • Cloud: Thand’s proprietary cloud service that orchestrates all your servers and agents (optional)

License

Thand is licensed under the BSL 1.1 license. See LICENSE.md for more details.