We're finding that our organization has too many global admins, and many of them treat it as a catch-all role. Instead of using the appropriate permissions for their daily tasks, they're active as global admins even when they only need that access a few hours each month. While we could implement Privileged Identity Management (PIM) for these admins, it doesn't do much good if they activate the global admin role constantly because they lack other role assignments that give them the necessary access for their regular work. Is there a way to audit which tasks these admins are actually performing so we can determine the best roles to assign them, helping to reduce the number of global admins?
6 Answers
Using PIM with defined groups can help since admins might be working across various portals all day. It’s all about setting them up for success with the right permissions so they don’t have to fall back on the global admin role.
It’s a gradual process, but start by identifying which roles are actually needed for your admins. Set PIM to elevate access for an hour when needed. If they keep saying they need global admin for a task, that’s a signal they don’t have the right roles assigned. It reminds us to adapt our role structure to their actual work.
Implementing this change won’t happen overnight. Start by categorizing required roles and gradually introduce PIM restrictions. This approach will encourage admins to explore appropriate roles, and with time, the need for global admin access should significantly diminish.
For our setup, we limit global admin activation to an hour. It’s a balance, as most don’t activate it daily but still, it helps to monitor who really needs it. Ideally, they should have other roles to facilitate their daily responsibilities without relying too heavily on global admin.
Using PIM can work if you set it up with approval processes and let the role automatically expire after one hour. But the challenge will be finding other roles they can use. Constantly reactivating approvals every hour can really slow them down if they don’t have effective role assignments in place.
You're right! That constant approval process can kill productivity. We really need to be proactive in assessing who needs what access and assign them roles that they can actually work with.
Definitely look into PIM alongside role-based access control (RBAC) and audit logs. There are a ton of tools out there, like CyberArk, that can help with this. Just having PIM isn’t enough; it’s essential to actually analyze their usage to see where they can be more efficiently assigned.
Exactly! We can implement PIM, but if admins keep switching back to global admin, we’ll be back at square one. We need to pinpoint which lesser roles they need based on their actual tasks.
Totally agree! It becomes critical to identify and provide the right lower-privileged roles that map to their day-to-day tasks, reducing the need for global admin access.