True Privilege | Insights
What is True Privilege? How is it useful?
True Privilege goes beyond traditional views of privilege and encompasses all actions a determined attacker could ultimately take if they followed a Path to Privilege and compromised an account.
Seeing True Privilege across your organization helps you understand where privileges should be reduced in order to follow the Principal of Least Privilege (PoLP) and reduce the blast radius if accounts are compromised.
Understanding privilege
Privilege in identity security is the level of access or permission a user, system, or application has to resources. It defines what actions they can take, such as viewing, creating, or changing data.
Visualizing privilege helps you determine and control who can do what in a system. By knowing the level of access each identity has, you can reduce unnecessary permissions, spot unusual activity, and prevent attackers from gaining control of sensitive data or systems.
Direct privilege, effective privilege, and True Privilege
Direct privilege shows permissions explicitly assigned to a user or account, not inherited from roles, groups, or policies. Direct privileges are the baseline access a user has, without considering any indirect or cascading permissions.
Example of direct privilege
A user is explicitly granted “write” access to a specific folder.
Effective privilege: shows the permissions a user or account can exercise in practice, based on all assigned roles, groups, or policies at a specific moment. Effective privilege sums up direct and some inherited permissions, but may not reveal hidden or unintended access.
Example of effective privilege
A user is assigned to a read-only role but temporarily inherits write access via a policy.
True Privilege shows the complete scope of what a user can actually do across all systems, including direct, indirect, inherited, or unintended permissions. True privilege reveals the real blast radius if an account is compromised.
Example of True Privilege
A user appears to have only read access but also has hidden write permissions through nested groups. True privilege exposes that they could modify data.
In short, traditional privilege includes direct and effective privilege. This encompasses permissions assigned to a user and what they can access in practice, either directly or through groups and roles.
True Privilege goes further than traditional privilege views, showing the actual access the user can gain. It uncovers hidden escalation paths, inherited rights, and misconfigurations that can be exploited.
Use True Privilege to minimize blast radius
Blast radius is the scope of impact if a privileged account or credential is compromised. The more privileged an identity is, the larger its blast radius. Understanding an account’s True Privilege helps accurately measure the blast radius and identify where to reduce risk. Applying least privilege reduces the potential damage a compromised account can cause.
True Privilege encompasses all actions a determined attacker could ultimately take if they compromised an account.
Privileged accounts as chokepoints
A chokepoint is a place in the identity or access management flow where activity must pass through a single control or decision layer before continuing. A single privileged credential often unlocks access across servers, applications, or the entire IT environment. That makes them a narrow funnel through which critical control passes.
If attackers compromise a chokepoint, they can potentially gain access to many downstream systems. That single point of failure can magnify the blast radius of an attack.
Because chokepoints are unavoidable control layers, they’re also the most effective places to enforce strong policies (MFA, least privilege, continuous monitoring).
By understanding an accounts True Privilege and securing it as a chokepoint, you raise your overall security posture.
Where to see True Privilege in Insights
Insights contains dedicated graphs, reports, and tags in grids to help you distinguish between an account’s direct privileges and its True Privilege, as well as understand what actions to prioritize to manage privilege-related risks.
How are privileges calculated?
Insights uses patented machine learning models to categorize all possible “primitives” or actions in each connected domain. These categories are used in a matrix to define the privilege level of each action.
Thousands of unique actions exist across domains. Using AI and machine learning, we dynamically track and categorize each one, giving customers visibility into newly created or modified actions before attackers discover and exploit them.
Privilege levels in Insights
Insights shows you both the direct privilege and True Privilege level of your accounts.
Question for AI team: How does Insights calculate these? And what does each level mean? I don't think we use a score.
- Highest: AI team to define
- High: AI team to define
- Medium: AI team to define
- Low: AI team to define
- None: The account does not have any privileged access.
- Undetermined: Insights cannot determine the privilege level of this account.
Dashboards
on the Insights Homepage, the default Insights Summary dashboard shows a True Privilege Summary that includes accounts the number of accounts with High and Highest True Privileges.
True Privilege graph
To open the True Privilege graph:
- Navigate to the Identities page.
- Select an identity under the Namecolumn to open the Overview panel.
- Click True Privilege Graph.
Accounts grid
There is a True Privilege column on the Accounts grid that denotes the True Privilege level of the account. For a complete guide to this grid, see Accounts.
There are also labels and preset saved filters on this grid to help you prioritize which accounts to address.
Labels
| Label | What it means |
|---|---|
| Human | The account belongs to a human identity. |
| Disabled | The account has been deactivated. |
| Dormant | The account has not been active for 30 days. |
| External user | The account belongs to a user outside your organization. |
| Service | The account belongs to a service principal identity (non-human). |
| Daily Driver or Primary daily account | This is the primary account the identity uses daily. |
| Managed by Password Safe | The account is managed by BeyondTrust Password Safe. |
| Microsoft Entra anomalous | Machine learning has identified the account as deviating from what is standard in Microsoft Entra ID. |
| Okta anomalous | Machine learning has identified the account as deviating from what is standard in Okta |
| Ongoing Brute Force | There has been an attempt from an attacker to try to guess this account's password using tools to systematically try every possible combination of characters. |
| Password: Blank | There is no password associated with the account at all. |
| Password: Collisions | Account shares a password with another account |
| Password: Compromised | The account's password is known to be compromised. |
| Password: Weak | The account's password is weak. |
Filters
- Dormant privileged accounts with recommendations: Accounts that have not been active for 30 days that have open, unresolved security recommendations.
- Privileged accounts under attack: High and highest privilege accounts under attack whose security posture can be improved.
- Unmanaged privileged accounts: High and highest privilege accounts not managed by Password Safe.
- Unmanaged privileged accounts under attack: High and highest privilege accounts that are currently under attack and not managed by Password Safe.
Identities grid
The Identities grid has a True Privilege column. For more information on this page, see Identities .
Reporting
Several reports give you in-depth analysis of True Privilege in your environment. For more information, see Dashboards & Reports.
Findings
In the Ungrouped tab of the Recommendations and Detections pages, you can see the True Privilege level of the account associated with the finding.
Updated about 8 hours ago
