You should read over NIST 800-53 AC-2 and AC-6. They go over why privileged accounts are important, why they are used, and how they protect users and organizations.

JIT access should be the goal.

Scroll down to: Implementation Guidance

https://csf.tools/reference/cloud-controls-matrix/v4-0/iam/i...

▲

charcircuit 3 days ago | parent [-]

>JIT access should be the goal.

Individual privileges for specific things should be given access to instead of giving god access to a system.

▲

esseph 3 days ago | parent [-]

I hear what you are saying but many, many people who have dedicated their life to this topic disagree with you. Onions have layers for a reason.

RBAC by nature requires a Creator. ZeroTrust networks still require gateways.

▲

charcircuit 2 days ago | parent [-]

I'm not saying there can't be an admin who can create roles, or do some extra authentication to gain that privilege. I am saying that it shouldn't require assuming an all powerful user to do it. You should be able to do it from your actual account. This is good for keeping accurate records too since all actions are done by the users themselves. Yes, technically sudo can be logged, but it's bypassable by starting a shell.

	▲	esseph 2 days ago \| parent [-]
		Elevated credentials for said users segment access while still allowing the same user to access more administrative function. Proper group / sudoers mappings can go a long way, but you still want that administrative break between access levels.