In general, the key feature of managing logged in users is the type of user and their associated privileges. It is generally considered good practice to give only the minimum access rights required to perform the job. However, this often translates to minimum access possible. This creates a situation in which security measures end up being discarded or sidestepped.

A low-level example of this was from the retail sector. A cashier could process purchases but needed a manager's key to process a refund. This might seem reasonable, but at some times (for example, post-Christmas returns), the manager's key would end up fairly permanently left in the cash register. The access rights were not sufficient to perform the job.

In a similar way, if members of the IT team aren't ordinarily set up as administrators, they will often have to change between accounts of different privilege. This inevitably leads to multiple login sessions to reduce login times, or permanently simply sitting in the administrator account.