b/260937549 Update README (#24)

* Update to cover 1.1
* Add more screenshots

README.md

@@ -1,51 +1,81 @@
 # Just-In-Time Access
 
-Just-In-Time Access is an AppEngine application that lets you manage just-in-time privileged access to Google Cloud projects.
+Just-In-Time Access is an open source application that lets you implement just-in-time privileged access to Google Cloud resources. 
 
-## Synopsis
-
-Just-In-Time Access adds the notion of _eligible role bindings_ to Cloud IAM. Unlike a [regular
+Just-In-Time Access works by introducing the notion of _eligible role bindings_ to Cloud IAM. Unlike a [regular
 IAM role binding](https://cloud.google.com/iam/docs/overview#cloud-iam-policy), 
 an eligible role binding doesn't grant the user access to a project yet:
 Instead, a user first has to _activate_ the binding on demand by using the Just-In-Time Access application.
 Activation is temporary and requires the user to provide a justification (like a bug or case number).
 
-You can use _eligible role bindings_ to grant users privileged (pr break-glass) access to resources
+You can use _eligible role bindings_ to grant users privileged (or break-glass) access to resources
 without having to grant them permanent access. This type of just-in-time privileged access helps you to:
 
-* Reduce the risk of users accidentally modifying or deleting resources ("fat-fingering").
-* Create an audit trails that captures justifications for why privileged access was used.
+* Reduce the risk of someone accidentally modifying or deleting resources. For example, when users have privileged access only when it's needed, it helps prevent them from running scripts at other times that unintentionally affect resources that they shouldn't be able to change.
+* Create an audit trail that indicates why privileges were activated.
 * Conduct audits and reviews for analyzing past activity.
 
 
-## Using Just-In-Time Access
+## Request just-in-time access
+
+<a href='doc/Activation_1024.gif?raw=true'>
+<img src='doc/Activation_350.png' align='right'>
+</a>
+
+As a user, you request just-in-time access in three steps:
+
+1. Select the project you need to access
+2. Select one or more roles to activate (from your list of eligible role bindings)
+3. Enter a justification (like a bug or case number)
+
+After validating your request, the application then [grants you temporary access](https://cloud.google.com/iam/docs/configuring-temporary-access)
+to the project.
+
+
+
+<img src='doc/images/pix.gif' width='100%' height='1'>
+
+
+## Grant just-in-time access
+
+<a href='doc/Condition.png?raw=true'>
+<img src='doc/Condition_350.png' align='right'>
+</a>
+
+As an administrator, you can grant a role (to a user or group) and make it _eligible_ by adding a special IAM condition:
+
+```
+has({}.jitAccessConstraint)
+```
+
+You can create the binding for a specific project, or for an entire folder. Instead of granting eligible
+access to individual users, you can also use groups.
+
 
-Just-In-Time Access uses [IAM conditions](https://cloud.google.com/iam/docs/conditions-overview) to manage eligible access:
+<img src='doc/images/pix.gif' width='100%' height='1'>
 
-* **As an administrator** you can grant a role (to a user or group) and make it _eligible_ by 
-  adding a special IAM condition:
 
-  ```
-  has({}.jitAccessConstraint)
-  ```
+## Audit just-in-time access
 
-  You can create the binding for a specific project, or for an entire folder. Instead of granting eligible
-  access to individual users, you can also use groups.
+<a href='doc/AuditLog.png?raw=true'>
+<img src='doc/AuditLog_350.png' align='right'>
+</a>
 
-* **As a user**, you can list the roles and resources you're _eligible_ to access by using the Just-In-Time Access
-  application. 
+As an administrator, you can use Cloud Logging to review when and why eligible roles have been activated by users. 
+For each activation, the Just-In-Time application writes an audit log entry that contains information about:
 
-  You can then _activate_ one or more role bindings and provide a justification for doing so. Just-In-Time Access
-  then [grants you temporary access](https://cloud.google.com/iam/docs/configuring-temporary-access)
-  to the resource.
+* the user that requested access
+* the user's device, including satisfied [access levels](https://cloud.google.com/access-context-manager/docs/manage-access-levels) 
+* the project and role for which access was requested
+* the justification provided by the user
 
-  ![Screenshot](doc/screenshot-small.png)
+<img src='doc/images/pix.gif' width='100%' height='1'>
 
-* **As an administrator**, you can use Cloud Logging to review when and why eligible roles have been activated by users.  
 
-## Deploying Just-In-Time Access
+## Deploying the application
 
-Just-In-Time Access runs on App Engine (standard) and uses Identity-Aware-Proxy for authentication and authorization.
+Just-In-Time Access runs on App Engine (standard) and uses Identity-Aware-Proxy for authentication and authorization. The application
+is stateless and uses the [Policy Analyzer API](https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies) and [IAM API](https://cloud.google.com/iam/docs/reference/rest) to manage access.
 
 For detailed instructions on deploying Just-In-Time Access, see [Manage just-in-time privileged access to projects ](https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project) on the Google Cloud website.