Types of Privileged Accounts

While most non-IT users should, as a best practice, only have standard user
account access, some IT employees may possess multiple accounts, logging
in as a standard user to perform routine tasks, while logging into a superuser
account to perform administrative activities.

Because administrative accounts possess more privileges, and thus, pose a

heightened risk if misused or abused compared to standard user accounts, a
PAM best practice is to only use these administrator accounts when
absolutely necessary, and for the shortest time needed.

Examples of privileged accounts typically in an organization:

 Local administrative accounts: Non-personal accounts providing

administrative access to the local host or instance only.
 Domain administrative accounts: Privileged administrative access
across all workstations and servers within the domain.
 Break glass (also called emergency or firecall)
accounts: Unprivileged users with administrative access to secure
systems in the case of an emergency.
 Service account: Privileged local or domain accounts that are used by
an application or service to interact with the operating system.
 Active Directory or domain service accounts: Enable password
changes to accounts, etc.
 Application accounts: Used by applications to access databases, run
batch jobs or scripts, or provide access to other applications.

Increasingly, privileged accounts are associated with a machine identity,

rather than a human one. The proliferation of machine accounts, such in RPA
and other automated workflows, adds significant security complexity to IT
environments and provides an important use case for PAM systems.