I am interested to learn if you have any specific policies in your companies about what permissions you can or cannot grant to cyber security professionals? I have read some companies actually reduce the permissions/roles etc granted to cyber security management to help enforce the concepts of ‘separation of duties’ (so independence from certain functions/protect against conflicts of interest), but in practice I wondered how commonplace this was and what specifically you keep away from cyber security staff in terms of AD permissions. For example do your cyber security professionals get domain admin or other privileged roles in your AD, or do you have to tactically remove certain privileges from their accounts (and if so which/why)?
It may be easier to describe any specific actions/duties/support/troubleshooting that you don't allow the cyber security employees to perform as opposed to specific roles etc.