Question
Should Application Administrators be considered as Privileged Accounts?
Answer
Literature Review
In Osmanoglu, 2013, Osmanoglu proposes an approach to assess the current IAM state in an organization against a proposed IAM capability model. He stresses the importance of the assessment inclusiveness or comprehensiveness.
To help in this process, Osmanoglu proposes a systematic table of topics that should be covered as part of the assessment. The table columns depict the People, Processes and Technology dimensions while the rows correspond to organization units. In this classification, Privileged Users (People) and Management of privileged accesses (Process) are placed in the IT and System Owners row alongwith all technical systems. In contrast, Application Administrators (People) and Business Applications (Technology) are placed in the Lines of business row with access management, joiner, mover, leaver and recertification processes.
In summary, Osmanoglu doesn't expressly state that Application Administrators aren't Privileged Accounts but shows at least that Application Administrators are of a particular nature whose domain is limited to Business Applications and that they should be primarily approached from the perspective of the business rather than that of IT.
In KPMG, 2018, KPMG proposes a classification of digital accounts. In this classification, the set of privileged accounts expressly comprises application administrators. Interestingly, it proposes an intermediary class between standard application users and privileged accounts: powerful accounts where we find application super users, database users and platform remote access users.
