Solved: Are there any downsides to being super admin?

thatonealma · 11-11-2022 05:15 AM

Hello!

We are currently taking into consideration who would be the first super admin and I need to know, are there any downsides to being super admin on Google Workspace?

Thanks!

cryptochrome

What do you mean exactly? Downsides in terms of using it like a normal user?

A user assigned to the super admin role works just like any other user, they won't notice a difference in functionality in day to day usage of the Workspace apps. They just have the additional permissions to be able to manage the product through the admin console.

However, it is considered security best practice to use a separate account for super-admin. If the super-admin uses Workspace like any other user, they will be prone to phishing and other attacks. When such attacks are successful, the attacker will gain superpowers over your whole Workspace setup. Just one of the many reasons why privileged access should not be granted to normal user accounts.

I would suggest creating separate admin accounts that are only used for managing and administrating the platform and for nothing else. You don't need to give these admins a full Workspace license, you can save costs by creating admin accounts with the free tier of Google Cloud Identity.

I have written a blog post about how to save money by using Cloud Identity licenses in the Workspace context, if you're interested in finding out more.

View solution in original post

cryptochrome

What do you mean exactly? Downsides in terms of using it like a normal user?

A user assigned to the super admin role works just like any other user, they won't notice a difference in functionality in day to day usage of the Workspace apps. They just have the additional permissions to be able to manage the product through the admin console.

However, it is considered security best practice to use a separate account for super-admin. If the super-admin uses Workspace like any other user, they will be prone to phishing and other attacks. When such attacks are successful, the attacker will gain superpowers over your whole Workspace setup. Just one of the many reasons why privileged access should not be granted to normal user accounts.

I would suggest creating separate admin accounts that are only used for managing and administrating the platform and for nothing else. You don't need to give these admins a full Workspace license, you can save costs by creating admin accounts with the free tier of Google Cloud Identity.

I have written a blog post about how to save money by using Cloud Identity licenses in the Workspace context, if you're interested in finding out more.

christiannewman

If you use Cloud Identity for the Super Admin account, you'll need to take additional steps to ensure receipt (by another account) of super admin alerts and notifications from Google - this can be done using a Group and/or routing rule.

Joe_The_Dragon

One downside is that can't make all API calls so for apps / other tools that need to run as admin they need to be paid for now.

alesker-abdulla

I think it's better to use the username you first registered as Super Admin. Example you can use admin@ex-site1.com username as Super Admin. You also don't need to add any email to this username, as the admin account is for administration and configuration.

Also, I suggest you create a new unit called "Administrator" on Organization Units and add your Super Admin account there.
Then I suggest you close all additional applications except Google Cloud, Google Developers , Google Search Console and Google Domains for Administrator unit from Additional Google services section. Because the Administrator account only needs the mentioned applications.