True Privilege and Paths to Privilege
What is True Privilege?
True Privilege is every action a person operating the account could perform if they follow a Path to Privilege. Paths may involve using federation or trust relationships to become another account in an intended way, or abusing misconfigurations in the environment.
True Privilege encompasses all actions a determined attacker could ultimately take if they compromised an account.
How is understanding True Privilege useful?
Privilege level is not always limited to the privileges an account is directly assigned. The rights and privileges an account is assigned can give it higher levels of privileged access. True Privilege captures these considerations and gives you the most comprehensive picture of access rights.
Seeing True Privilege across your organization helps you understand where privileges should be reduced in order to follow the Principal of Least Privilege (POLP) and reduce the blast radius if accounts are compromised.
How are privileges calculated?
Insights uses patented machine learning models to categorize all possible “primitives” or actions in each connected domain. These categories are used in a matrix to define the privilege level of each action.
Thousands of unique actions exist across domains. Using AI and machine learning, we dynamically track and categorize each one, giving customers visibility into newly created or modified actions before attackers discover and exploit them.
How can I view True Privileges in Identity Security Insights?
Identity Security Insights provides dedicated graphs, reports, and tags in grids to help you distinguish between an account’s direct privileges and its True Privilege, as well as understand what actions to prioritize to manage privilege-related risks.
Access the True Privilege graph
- Navigate to the Identity Details page.
- Click View True Privilege graph or the icon under the Actions column on the Identities grid to open the graph.
- Drag the nodes to manipulate the the graph. Click any node to open a side panel with detailed information.
For reports relating to True Privilege, see Reporting.
What are Paths to Privilege?
A Path to Privilege shows some of the identities, accounts, entitlements, and configurations an identity can access via a particular set of steps. The collection of all paths describe the account's True Privilege.
How is understanding Paths to Privilege useful?
Identifying and visualizing these Paths to Privilege allows you to understand and control the relationships that enable both vertical and lateral privilege escalation.
Privilege escalation occurs when a lower-privileged account gains access to higher privileges, either vertically (to a more privileged role) or laterally (to a role with equivalent privileges that enables further escalation). This often happens due to misconfigurations or abuse of trust relationships.
How can I view Paths to Privilege?
Use the Paths to Privilege node graph to view your privilege relationships.
Access the Paths to Privilege node graph
- Navigate to the Entitlements page to open the Entitlementsgrid.
- Use the tabs and filters to locate the Entitlement name.
- Select
from the Actions column. The Paths to Privilege node graph opens.
Paths to Privilege show on the True Privilege graph if there is an escalation path.
For reports relating to Paths to Privilege, see Reporting.
Updated 7 days ago