Should all of my system administrators (Linux, Windows, DBA’s, Network, Cloud Admins) have their own individual privileged accounts stored in a PAM tool or is the best practice to keep individual accounts away from a PAM?
My understanding is that a PAM tool is the home for shared interactive and non-interactive account, while non-shared/individual accounts would reside in an IAM tool or Active Directory.
For example, I have a Windows Admin named John Smith. I would assume that he would just perform his day to day administrative tasks in Windows using his “john.smith” account (which resides in AD) but if he needed to use a Domain or Local Admin account, he would access the PAM and check out the account for use.
Is my understanding correct, or should the john.smith account reside within the PAM tool as well? If so, wouldn’t John need access to this individual account “almost always”?