Using PasswordState for JIT/JEA PAM

[hamsteropera]

We are looking to do some sort of PAM solution at our organisation for privileged accounts in AD (Domain Admins etc). Ideally we would want to do something like how PAM works in Microsoft Identity Manger. Eg you have an admin account in the domain (eg sally_admin) which is elevated on request, with automated time limits, to give it privileges as and when it is needed by adding it to the relevant group(s) in AD.

We already use PasswordState as our password vault. It doesn't seem to have this capability out of the box to do 'just in time' elevation, but is there any way we can get it to work like that? I was wondering about using custom Password Reset scripts that also manipulate groups but that feels like a bit of a bodge.

Alternatively, I think the PasswordState native approach to achieve something comparable would be to have multiple service accounts that people use, each with the privileges assigned permanently. Either generic shared ones, or issue multiple accounts per-user. The passwords would then be reset when the account is checked in. I would possibly update the reset script to also disable the account. Eg
sys-accountoperator1
sys-accountoperator2
sys- serveroperator1
etc

Have I got all that right? Just wondering whether anyone has done something similar in PasswordState and has any thoughts about the best way to do it.