Documentation

True Privilege | Insights

Suggest Edits

What is True Privilege? How is it useful?

True Privilege goes beyond traditional views of privilege and encompasses all actions a determined attacker could ultimately take if they followed a Path to Privilege and compromised an account.

Seeing True Privilege across your organization helps you understand where privileges should be reduced in order to follow the Principal of Least Privilege (PoLP) and reduce the blast radius if accounts are compromised.

Understanding privilege

Privilege in identity security is the level of access or permission a user, system, or application has to resources. It defines what actions they can take, such as viewing, creating, or changing data.

Visualizing privilege helps you determine and control who can do what in a system. By knowing the level of access each identity has, you can reduce unnecessary permissions, spot unusual activity, and prevent attackers from gaining control of sensitive data or systems.

Direct privilege, effective privilege, and True Privilege

Direct privilege shows permissions explicitly assigned to a user or account, not inherited from roles, groups, or policies. Direct privileges are the baseline access a user has, without considering any indirect or cascading permissions.

👉

Example of direct privilege

A user is explicitly granted “write” access to a specific folder.

Effective privilege: shows the permissions a user or account can exercise in practice, based on all assigned roles, groups, or policies at a specific moment. Effective privilege sums up direct and some inherited permissions, but may not reveal hidden or unintended access.

👉

Example of effective privilege

A user is assigned to a read-only role but temporarily inherits write access via a policy.

True Privilege shows the complete scope of what a user can actually do across all systems, including direct, indirect, inherited, or unintended permissions. True privilege reveals the real blast radius if an account is compromised.

👉

Example of True Privilege

A user appears to have only read access but also has hidden write permissions through nested groups. True privilege exposes that they could modify data.

In short, traditional privilege includes direct and effective privilege. This encompasses permissions assigned to a user and what they can access in practice, either directly or through groups and roles.

True Privilege goes further than traditional privilege views, showing the actual access the user can gain. It uncovers hidden escalation paths, inherited rights, and misconfigurations that can be exploited.

Use True Privilege to minimize blast radius

Blast radius is the scope of impact if a privileged account or credential is compromised. The more privileged an identity is, the larger its blast radius. Understanding an account’s True Privilege helps accurately measure the blast radius and identify where to reduce risk. Applying least privilege reduces the potential damage a compromised account can cause.

True Privilege encompasses all actions a determined attacker could ultimately take if they compromised an account.

Privileged accounts as chokepoints

A chokepoint is a place in the identity or access management flow where activity must pass through a single control or decision layer before continuing. A single privileged credential often unlocks access across servers, applications, or the entire IT environment. That makes them a narrow funnel through which critical control passes.

If attackers compromise a chokepoint, they can potentially gain access to many downstream systems. That single point of failure can magnify the blast radius of an attack.

Because chokepoints are unavoidable control layers, they’re also the most effective places to enforce strong policies (MFA, least privilege, continuous monitoring).

By understanding an accounts True Privilege and securing it as a chokepoint, you raise your overall security posture.

Where to see True Privilege in Insights

Insights contains dedicated graphs, reports, and tags in grids to help you distinguish between an account’s direct privileges and its True Privilege, as well as understand what actions to prioritize to manage privilege-related risks.

How are privileges calculated?

Insights uses patented machine learning models to categorize all possible “primitives” or actions in each connected domain. These categories are used in a matrix to define the privilege level of each action.

Thousands of unique actions exist across domains. Using AI and machine learning, we dynamically track and categorize each one, giving customers visibility into newly created or modified actions before attackers discover and exploit them.

Privilege levels in Insights

Insights shows you both the direct privilege and True Privilege level of your accounts.

Our machine learning (ML) models categorize each action based on its potential impact and risk, then determine the overall privilege level using the following approach:

  • Highest-risk action methodology: An account's privilege level is determined by the most impactful action it can perform. Even if an account has mostly low-privilege actions, access to a single highest-risk action (such as deleting critical infrastructure or modifying IAM policies) elevates its overall privilege level accordingly.
  • Dynamic categorization: As new actions are introduced or modified in your connected domains, our ML models automatically categorize them and update privilege calculations in real-time, ensuring you always have current visibility into privilege risks.
  • True Privilege consideration: The calculation accounts for not just direct permissions, but also indirect access paths discovered through our True Privilege analysis. An account may appear to have low direct privileges but achieve a higher privilege level through lateral movement or privilege escalation paths.

Rather than using a numerical score, Insights assigns categorical privilege levels (Highest, High, Medium, Low, None, Undetermined) to provide clear, actionable classifications that help you prioritize remediation efforts based on actual risk exposure.

  • Highest: The account has direct or indirect access to actions that can significantly impact the entire organization, such as creating/deleting critical resources, modifying security policies, managing identity and access controls, or accessing all data across the environment. These accounts pose the greatest risk if compromised.
  • High: The account has access to actions that can affect multiple systems, resources, or users, such as modifying configurations, managing groups or roles, or accessing sensitive data. Compromise of these accounts could lead to substantial damage or lateral movement.
  • Medium: The account has access to actions that impact specific resources or limited scopes, such as managing individual resources, modifying non-critical settings, or accessing moderately sensitive data. These accounts have elevated permissions beyond standard users but with constrained impact.
  • Low: The account has minimal elevated permissions, such as read access to some privileged resources or the ability to perform basic administrative tasks with limited scope. Impact of compromise is contained and primarily affects the account itself or a small number of resources.
  • None: The account does not have any privileged access.
  • Undetermined: Insights cannot determine the privilege level of this account.

Dashboards

on the Insights Homepage, the default Insights Summary dashboard shows a True Privilege Summary that includes accounts the number of accounts with High and Highest True Privileges.

True Privilege graph

To open the True Privilege graph:

  1. Navigate to the Identities page.
  2. Select an identity under the Namecolumn to open the Overview panel.
  3. Click True Privilege Graph.

Accounts grid

There is a True Privilege column on the Accounts grid that denotes the True Privilege level of the account. For a complete guide to this grid, see Accounts.

There are also labels and preset saved filters on this grid to help you prioritize which accounts to address.

Labels

LabelWhat it means
HumanThe account belongs to a human identity.
DisabledThe account has been deactivated.
DormantThe account has not been active for 30 days.
External userThe account belongs to a user outside your organization.
ServiceThe account belongs to a service principal identity (non-human).
Daily Driver or Primary daily accountThis is the primary account the identity uses daily.
Managed by Password SafeThe account is managed by BeyondTrust Password Safe.
Microsoft Entra anomalousMachine learning has identified the account as deviating from what is standard in Microsoft Entra ID.
Okta anomalousMachine learning has identified the account as deviating from what is standard in Okta
Ongoing Brute ForceThere has been an attempt from an attacker to try to guess this account's password using tools to systematically try every possible combination of characters.
Password: BlankThere is no password associated with the account at all.
Password: CollisionsAccount shares a password with another account
Password: CompromisedThe account's password is known to be compromised.
Password: WeakThe account's password is weak.

Filters

  • Dormant privileged accounts with recommendations: Accounts that have not been active for 30 days that have open, unresolved security recommendations.
  • Privileged accounts under attack: High and highest privilege accounts under attack whose security posture can be improved.
  • Unmanaged privileged accounts: High and highest privilege accounts not managed by Password Safe.
  • Unmanaged privileged accounts under attack: High and highest privilege accounts that are currently under attack and not managed by Password Safe.

Identities grid

The Identities grid has a True Privilege column. For more information on this page, see Identities .

Reporting

Several reports give you in-depth analysis of True Privilege in your environment. For more information, see Dashboards & Reports.

Findings

In the Ungrouped tab of the Recommendations and Detections pages, you can see the True Privilege level of the account associated with the finding.

Updated 24 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.