Question
Should Application Administrators be considered as Privileged Accounts?
Answer
Literature Review
In Royer, 2010, Royer explains how the introduction of Enterprise Identity Management Systems (EIdMS) in organizations is expensive and challenging for organizations beyond technological matters. He explains that EIdMS investments are of a hybrid nature situated between security and productive IT and stresses the importance of identifying and onboarding stakeholders early on in the project. As part of this research, integrators, vendors and users have been interviewed and a high-level classification of IAM stakeholders has been established from these. Interestingly, the Actual Users category expressly contains both the business users and application administrators distinctively from the IT department.
This shows that Application Administators may or may not be Privileged Accounts but are commonly owned by the business rather than IT.
In Osmanoglu, 2013, Osmanoglu proposes an approach to assess the current IAM state in an organization against a proposed IAM capability model. He stresses the importance of the assessment inclusiveness or comprehensiveness.
To help in this process, he proposes a systematic table of topics that should be covered as part of the assessment. The table columns depict the People, Processes and Technology dimensions while the rows correspond to organization units. In this classification, Privileged Users (People) and Management of privileged accesses (Process) are placed in the IT and System Owners row along with all technical systems. In contrast, Application Administrators (People) and Business Applications (Technology) are placed in the Lines of business row with access management, joiner, mover, leaver and recertification processes.
In summary, Osmanoglu doesn't expressly state that Application Administrators aren't Privileged Accounts but shows at least that Application Administrators are of a particular nature whose domain is limited to Business Applications and are owned by the business rather than that of IT.
In KPMG, 2018, KPMG proposes a classification of digital accounts. In this classification, the set of privileged accounts expressly comprises Application Administrators. The model expressly states that Application Administrators are managed by PAM solutions.
Here, Application Administrators are defined as:
Accounts which have full administrative privileged capabilities within individual applications.
Along the risk and # of users dimensions, Application Administrators is placed right in the middle.
Interestingly, this model proposes an intermediary class between standard application users and privileged accounts: Powerful Accounts where we find application super users, database users and platform remote access users.