How to group Privileged Accounts?

One of the decisions you will need to make early on is how best to group accounts. This is a critical decision which should be given careful thought as any change in approach will be painful and will diminish trust in your abilities to get the job done.

For example:
By Operating system: On the face of it this seems logical. You simply find your best PAM SME with UNIX knowledge and put them to work. However what you will quickly realise is that your owner has multiple analysts approaching them for support with accounts sitting on other Operating systems. Before too long this will become irritating for the owner who now has multiple points of contact.

By Application: Again, account owners will probably have to deal with multiple remediation analysts for the different applications he owns.

By Area / Function: In my experience, especially for very large organisations, this is the most pragmatic approach as your owners only have to deal with a single analyst. If the volume of accounts is high then of course you can assign multiple analysts. The downside is that the analyst now has to get skilled on how to remediate multiple operating systems; but as your analyst is often in a facilitation role, he will be supported by SMEs that he can call on for advice.