If you don't track who has admin access, a disgruntled employee or hacked account can delete customer data, steal payment information, or change financial records without leaving a trace. For example, a mid-sized garment exporter in Tamil Nadu had their IT person gain admin access to the export billing system, and when he resigned angrily, he deleted three months of shipping records—costing the company ₹15 lakhs in customer claims and audit fines. Customers and banks also ask for proof of this control before renewing contracts; missing it can cost you orders. If a regulator or auditor finds unlimited admin accounts, you could face penalties under the DPDP Act for failing to protect customer data.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no idea who has admin access or how many admin accounts exist in your systems. When something goes wrong, you ask everyone 'Was it you?' and hope someone admits it.
Initial
You know that your IT person and maybe the owner have admin passwords, but you've never written down a list or checked whether they're still needed. Passwords are probably shared or written on a sticky note.
Developing
You have a rough list of who has admin access (maybe in an Excel file), and you've removed a few accounts from people who left, but you haven't checked this list in over a year and you don't know if all these people still need that access.
Defined
You maintain an updated list of admin accounts and who owns each one, you review it twice a year, and you've set rules like 'admin access expires after 90 days unless renewed.' You can show an auditor who has admin access right now.
Managed
Every admin account is tied to a specific job role and business need (e.g., 'Finance admin can only access the payroll system'). You review access quarterly, log who used admin functions and when, and remove access automatically when someone's role changes.
Optimised
You use a central system (like Microsoft Entra ID or similar) where admin access is granted for specific tasks and only for a set time, then automatically removed. Every admin action is logged with the person's name, timestamp, and what they did, and you analyse these logs monthly for suspicious activity.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Gather everyone with admin or root access (IT staff, owner, finance lead) in one meeting and make a written list with their names, which systems they access, and why they need it. Keep this list in a locked drawer or secure file. | Owner or IT person | 1 day |
| 1 → 2 | Move the admin list to a shared document (Excel or Google Sheets) that you review and update every 6 months. For each admin account, document the person's name, their job role, systems they access, date access was granted, and expected end date (if any). Remove anyone who no longer works there. | IT person with Owner approval | 1 week |
| 2 → 3 | Set a formal policy: admin access must be approved in writing by the owner/manager, reviewed every 90 days, and must have an expiry date. Create a simple form or template for requesting admin access. Start logging when people use admin functions (even just a basic notebook or spreadsheet). Schedule a quarterly review meeting to check if the list is still accurate. | Owner with IT person | 2-4 weeks |
| 3 → 4 | Link each admin account to a specific job role and function (e.g., 'Finance Manager – Payroll System Only' instead of blanket admin). Use the principle of least privilege: if someone only needs to approve invoices, don't give them password-change rights. Set up automated audit logs in your systems (Windows Event Viewer, database audit logs, etc.) and review them monthly for unusual activity. | IT person with Owner and manager input | 1-2 months |
| 4 → 5 | Implement a centralised identity management system (such as Microsoft Entra ID, Okta, or similar) where admin roles can be assigned with automatic expiry, and all admin actions are logged centrally. Set up automated alerts for suspicious admin activity (e.g., admin login at 2 AM from an unusual location). Conduct a formal audit of admin access and logs every quarter with documented findings. | IT person with external consultant if needed | Ongoing |
Documents and records that prove your maturity level.
- Written or digital list of all admin accounts with owner names, role, systems accessed, date granted, and expiry date
- Access request and approval forms (e.g., email or form where someone requested admin access and a manager approved it)
- Access removal documentation showing when and why admin access was revoked for employees who left or changed roles
- Quarterly or bi-annual access review records signed by owner/manager confirming they checked the list and approved it
- Audit or activity logs showing who used admin functions, when, and what they did (can be exported from your IT systems)
Prepare for these questions from customers or third-party reviewers.
- "Can you show me a current list of all admin accounts in your organisation? Who approved each one and why do they need it?"
- "What happens when someone leaves the company or changes jobs? How do you remove their admin access, and can you show me examples?"
- "Do you have any shared admin passwords (e.g., one password used by multiple people)? If so, why?"
- "When was the last time you reviewed who actually needs admin access? What did you find and what did you change?"
- "If I ask your IT person to show me what admin activities happened last month, can you produce a log with details like who did what and when?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain list of admin accounts and track access changes | Google Sheets or Microsoft Excel (already available if you use Microsoft 365) | Microsoft Entra ID (₹2,500–5,000/user/year) or Okta (₹4,000–8,000/user/year) |
| Log and monitor who uses admin functions and what they do | Windows Event Viewer (built into Windows Server) or auditd (Linux). Syslog servers like Rsyslog (free, open-source) | Splunk (₹8,00,000+/year for enterprise) or Microsoft Sentinel (₹4,000–15,000/month) |
| Automate expiry of admin access and enforce password policies | Active Directory (if you use Windows Server) or FreeIPA (open-source) | Okta or Microsoft Entra ID (as above) or JumpCloud (₹3,000–6,000/user/year) |
- Giving blanket admin access to anyone in the IT or finance team without restricting which systems they can change—then when something goes wrong, you can't trace who did it
- Sharing admin passwords or using the same generic password for all admin accounts, so you don't know which individual person used it and can't hold anyone accountable
- Forgetting to remove admin access from people who left the company or moved to a different role—your former accounts person still has access to your payroll system after resigning
- Never reviewing the admin list; you think you have 3 admin accounts but actually have 7 because old accounts were never cleaned up
- Not logging admin activities, so when an auditor or customer asks 'What did your admin do on 15 August?', you have no answer
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (accountability principle requiring access control and audit trails for personal data) |
| CERT-In 2022 Directions | Direction 4 (access control and privilege management) and Direction 6 (logging and audit trails) |
| ISO 27001:2022 | Annex A 5.3 (separation of duties) and A 8.2 (privileged access rights) |
| NIST CSF 2.0 | Govern & Protect - Govern Access & Authorization (ID.AM, PR.AC) and Detect anomalies & events (DE.CM) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →