Why managing access and privileges might be a problem

Most organizations require some groups of users to be allowed to use administrative accounts and passwords. For example, you might want to grant these permissions to allow some users to log on to computers that host administrative applications or data center services, but restrict access so that users can only log on when appropriate.

In many cases, the primary way you secure access to computers is by granting a limited number of users or groups root administrative privileges or configuring sudoers rights locally. These common practices leave computers vulnerable to insider threats and present a security risk that might be exploited by an external attack. As common as it is, granting administrative access rights is likely to violate the principal of least privilege, which is intended to minimize your exposure to these types of risks.

In other cases, users who need administrative privileges to perform specific tasks might use a shared administrator and service account password. However, shared passwords reduce accountability, leave computers vulnerable to insider threats, and are also often flagged by auditors as a security issue. If you are in an industry that has compliance requirements, shared passwords might present a significant business risk.