I am looking for the right practice to provide access to application owners. As of now they are part of system admins groups. whoever part of the group login tho the servers any time and do any stuff.
should PAM solution with shared ID with firecall would be right solution, If yes every app team should have their own ID or one ID for all app owners.
A shared ID is a very risky approach. If one admins is compromised, then:
A) It may be hard to identify the compromised account and thus hard to analyze why it was compromised.
B) You will have to deactivate or restrict this account, this block admin activities of all admins. Thus administrative tasks will be performed for some time until you resolved the problem.
C) Time to time people change their responsibilities in the company. If some employee doesn't work as an admin anymore, he still has credentials for the shared ID. You would have to (at least) change password every time in such cases.
A better approach is to define a role that gives the needed set of permissions. Then give this role to every admin separately. If needed, you can withdraw admin role without blocking any other permissions and without any side effects for other admins.
