Admin and Privileged Access

This topic distinguishes Admin Access from Privileged Access on the platform.

To more effectively control user access, you can create customized definitions for Admin Access and Privileged Access under System Collections.

Admin Access

Admin Access applies to any account with full control over the system or the IAM model of the application.

Here's how it works:

• For each integration type (such as cloud provider or identity platform) specific permissions are identified as administrative.

• We then search for any roles that include these admin-level permissions.

• Specifically, we look for entities with admin-type permissions to access to top-level resources such as:

  • Application

  • Project

  • Subscription

  • Service

  • Domain

These definitions are part of the admin access system collection. All admin-related access controls are based on this logic, and customers can customize this collection to match their internal policies.

Privileged Access

Privileged access is more flexible than admin access, and it can vary by organization. Generally, it refers to users who have powerful, potentially risky permissions, such as:

• Deleting a database or virtual machine (VM)

• Adding new applications to identity providers

• Disabling Windows services

This is also defined in a system collection. We provide a broad default definition, but we strongly recommend that customers review and refine it to meet their specific security needs.