Admin and Privileged Access

This topic distinguishes between these two types of acces:

• Admin Access on the platform

• Privileged Access according to the ITP assessment of access to third party cloud accounts.

To more effectively control user access, you can create customized definitions for Admin Access and Privileged Access under System Collections.

Admin Access

Admin Access applies to any account with full control over the platform or the IAM model of the application.

Here's how it works:

• For each integration type (such as cloud provider or identity platform) specific permissions are identified as administrative.

• We then search for any roles that include these admin-level permissions.

• Specifically, we look for entities with admin-type permissions to access to top-level resources such as:

  • Application

  • Project

  • Subscription

  • Service

  • Domain

These definitions are part of the admin access system collection. All admin-related access controls are based on this logic, and customers can customize this collection to match their internal policies.

Privileged Access

Privileged access is more limited and flexible than admin access, and it can vary by organization. Generally, it refers to users who have powerful, potentially risky permissions, such as:

• Deleting a database or virtual machine (VM)

• Adding new applications to identity providers

• Disabling Windows services

This is also defined in a system collection. We provide a broad default definition, but we strongly recommend that customers review and refine it to meet their specific security needs.