Access issues run the gamut. Privileged access to assets may be open, or groups providing elevated rights may house hidden users or open access groups. Proper account deprovisioning may be overlooked. Regular user login accounts may even provide administrative access to hosts, databases or applications and you might not even know it. Do you know what kind of account roles you have? Whether they are Domain Administrators, Application Administrators or standard users, you want to ensure the right level of access across each role in your enterprise. Here’s a quick rundown on the roles you need to know.
Domain Administrator Accounts These are at the top of the access totem pole, housing the fewest users, but often representing the highest risk. These privileged accounts can require coordination across multiple systems and have access to all devices (workstations, servers, etc.) within your network. Think of these users as the folks with administrative privileges across Active Directory (AD). It’s also important to note that these users can modify all membership within your administrator groups, making these invaluable credentials.
Database, Infrastructure and Platform Administrator Accounts These privileged accounts will routinely perform security and maintenance tasks across your systems. This role can include local non-personal accounts that are used and shared among IT staff. Service accounts can also fall under this umbrella with either privileged local or domain privileges.
Application Administrator Accounts This role should have full administrative access within a particular application. This level of privilege allows broad access to application databases and information as well as the ability to run batch jobs or scripts.
Elevated Access Accounts These roles can encapsulate super users on a given application, database users and remote access users who have been granted elevated levels of privilege on one or more systems.
Standard Application Accounts Regular account access should be the lowest risk and largest user base within your organization. These accounts are only performing routine work, and should have no elevated privileges that can impact application performance or availability.
Break Glass and Point in Time Access Accounts This specific role allows you to provide unprivileged users with admin access for a limited time span whether it is for an emergency or for a scheduled administrative task. The process is typically manual and can open you up for increased risk as many systems that facilitate this process lack important audit functions.
Before you can gain a full understanding of privileged access and a controlled end state, you must first recognize the account roles that exist, and their reach across your systems so you can manage each role’s specific risks and privileges.