Individual vs Shared PAM Accounts

Should all of my system administrators (Linux, Windows, DBA’s, Network, Cloud Admins) have their own individual privileged accounts stored in a PAM tool or is the best practice to keep individual accounts away from a PAM?

My understanding is that a PAM tool is the home for shared interactive and non-interactive account, while non-shared/individual accounts would reside in an IAM tool or Active Directory.

For example, I have a Windows Admin named John Smith. I would assume that he would just perform his day to day administrative tasks in Windows using his “john.smith” account (which resides in AD) but if he needed to use a Domain or Local Admin account, he would access the PAM and check out the account for use.

Is my understanding correct, or should the john.smith account reside within the PAM tool as well? If so, wouldn’t John need access to this individual account “almost always”?

Hi @calebparker45,

This forum is specifically for Conjur and other open source projects. Please reach out to technical support with questions about PVWA. You can also try the CyberArk subreddit for community support.