Skip to main content

Hitachi ID certification

Product Sites

Privileged Account

A privileged account is a login ID on some system which has elevated security rights -- i.e,. is able to perform more tasks and/or access more data than a regular user can do. Privileged accounts are also often shared accounts -- i.e., they do not belong to just one user, but rather are shared by multiple users, who are usually system administrators, database administrators, network managers and the like.

There are broadly three types of privileged accounts:

  1. Administrator accounts:

    There are accounts, often shared by multiple IT users, which are used to establish interactive logins to systems and applications. These logins are used to manage those systems -- apply patches, change configuration, manage users, retrieve log files, etc. Examples include Administrator on Windows, root on Unix/Linux, sa on SQL Server, SYSTEM on Oracle databases, and many others -- at least one per platform.

  2. Application to application accounts:

    These accounts are used by one application to connect, identify and authenticate to another. Common examples include applications used by a web application to connect to a database server, object broker or directory.

  3. Service accounts:

    These accounts provide a security context in which to run unattended processes, such as scheduled tasks, services or "daemons." In the context of this document, we are mostly concerned with the management of Windows service accounts, because -- unlike on other platforms -- on the Windows operating system, to start a process in the security context of a given account, the password for that account must be provided. This creates the need to manage passwords for service accounts on Windows (on other platforms, service accounts normally do not have a password).

Hitachi ID Privileged Access Manager secures privileged accounts across the IT landscape and at large scale:

  • It periodically randomizes passwords to privileged accounts.
  • Users must sign into Privileged Access Manager before they can access privileged accounts. This is an excellent opportunity to require strong, multi-factor authentication. This also allows organizations to apply a central authorization policy -- who is allowed access to which account, when and from where?
  • Privileged Access Manager launches login sessions on behalf of users, without displaying passwords -- single sign-on.
  • Privileged login sessions can be recorded, including screen capture and keyboard capture. This creates strong accountability and forensic audit trails.

Return to Identity Management Concepts

page top page top