Cloud Identity user as Super Admin

memdump · 12-11-2023 10:59 PM

Problem

I've created a new, free Cloud Identity user (e.g. cloudadmin@domain.com) in Google Workspace and assigned this user Super Admin privileges.

I understand that upon adding a new user in Google Workspace, you can designate a "secondary email" for sign-in instructions. You can also Send billing and account notifications to another admin (https://support.google.com/a/answer/7437937). I plan on designating another email address for each of these cases. However, initially at least, notifications regarding any changes made to the account (e.g. 2SV, recovery phone/email) will still be sent to the Cloud Identity user's email address.

Since Cloud Identity users do not have Gmail, my initial thought was to create a Google Group (e.g. cloudadmingroup@domain.com) that will act as this user's email inbox and then create a routing rule that reroutes all emails addressed to the Cloud Identity user to the Google Group.

Gmail Routing Rule: cloudadmin@domain.com -> cloudadmingroup@domain.com

At least one existing user account with Gmail access will need to subscribe to the group to receive any account-related emails.

Goal

The goal is to transition both of my existing, licensed, non-Cloud Identity Super Admin users to Cloud Identity accounts with Super Admin privileges, and then remove Super Admin privileges from the licensed accounts.

Final Thoughts

My personal opinion is that using Cloud Identity users as Google Workspace Super Admins makes sense, however, my concern lies with the fact that Cloud Identity users do not have access to Gmail. Because I don't want to miss any messages that are sent to the Cloud Identity user's email address, routing these messages to a "Super Admin Google Group" will be used to capture them.

I would like to have ALL of my Super Admin accounts be Cloud Identity users
Each Super Admin user will have a Google Group to receive emails regarding their account
Each Super Admin will have one free Cloud Identity Super Admin account and one licensed non-admin account
At least one licensed, non-admin account will need to be subscribed to the Google Group in order to receive account notifications in Gmail (ideally, these will be the licensed, non-admin accounts of each Super Admin)

Is there anything inherently wrong with or any potential pitfalls to this approach that I might be missing?

Ultimately, this is to comply with Google's documentation regarding Security best practices for administrator accounts (https://support.google.com/a/answer/9011373)

christiannewman

I understand and appreciate the cost-efficiency concerns.

However, without Gmail or Calendar access, there are certain functions your Cloud Identity super admins won't be able to perform, either in the GUI, or via the API (just one of many examples is transferring calendar events on behalf of users).

The implications go beyond mail delivery.

The number of super admins relative to the number of user accounts is normally quite small; therefore, I recommend simply licensing them for Google Workspace (if not all at least one - the primary administrator).

memdump

Thanks @christiannewman,

I think my use-case would apply most to those operating at a lower-maturity level use of Google Workspace. Currently, I do not have a lot of Super Admin tasks besides adding my very few "users" and admins (all me), managing my Google Groups (Access Groups, Configuration Groups, and Groups used for communication), and configuring my Google Workspace settings. I'm operating solo at the moment without an actual team of people yet.

However, I do currently have two "users":

1. "Back-end facing": Let's call him Mr. BossMan (me), a licensed Super Admin, whose account is responsible for performing this small subset of Super Admin tasks, managing important communications/accounts (legal, finance), and creating internal business documents.
2. "Front-end facing": Mr. Representative (also me), a licensed backup Super Admin, whose account is mainly responsible for performing most all everyday communications on behalf of the company, managing third-party accounts, etc.

Google suggests adding multiple Super Administrators, so at least two, and giving each Super Administrator two accounts: one for daily activities, and the other for performing super admin duties.

That's already 3, possibly 4, licensed accounts right off the bat for any "solopreneur" such as myself. For the little guy trying to get his business off the ground/running, and in an effort to adhere to Google's security best practices for administrators, which I 1000% agree with, this could be a costly roadblock for people like me who are just getting started, are not yet operating at scale, but still want the perks that Google Workspace provides for us.

And so, at the cost of saving themselves a few extra monthly subscriptions, I would assume most new Google Workspace customers just starting out would reluctantly or ignorantly choose to sacrifice security over this (which probably looks something along the lines of creating only one Super Admin account to do all their daily activities and super admin duties) ~ for me, it was keeping my current configuration. To some, those security best practices might be worth the cost, but I feel that, to most, even just one extra licensed account other than their every-day use account would make them wince.

I get it though. Sometimes, that's just the price you pay. I love Google Workspace. Those are just my thoughts as it relates to my personal experience so far, which, I admit is still in its infancy.

And thank you for the words of caution. Due to the slight complexity of it all, I never fully tested my suggested setup, but I did fool around with it a while back, and for my purposes at least, everything seemed to work fine. The only real concern I had was whether the chances of a routing rule suddenly "not working" for my Super Admin-designated Google Group was greater than the chances of a licensed user not receiving an email in Gmail, which I believe is, although (hopefully) unlikely, and that just wasn't a risk I was willing to take.

I hope you don't mind my small rant haha. I do agree with you, and I think your advice is quite sound.

jbradford-nokno

This! and I think this is broken which is why I filed this request. This would encourage proper separation of duties access controls -which is good for Google and for their customers- and not cost a lot of additional dollars given you're not just paying 2x for Google licensing, you're paying 2x for all associated licensing that is based on your current Google user count -which adds up quickly.

christiannewman

Don't your super administrators need the admin functions that are only available with an assigned Google Workspace license?

jbradford-nokno

Yes, which is why I would rather see a new type of user that is a SA that has some restriction that makes it inconvenient to use as a daily driver account and doesn't cost a full user license. The "inconvenience" would be something to prevent license abuse while encouraging separate SA users and not just SAing someone's primary account. It should be free or cheaper than a full user and have its accounting managed in a way that doesn't count towards a user with 3rd party services that bill based on active licensed Google users in the domain.

memdump

Hey @jbradford-nokno, I'd love to see what you proposed in your request. Unfortunately, I can't see it due to access permissions.

Check out my other comment though on this thread and let me know if it aligns at all with your thoughts on this.

jbradford-nokno

I think the more elegant solution would be some type of associatable account that is essentially an SU-able user-type. Where a user can be granted SU permissions that are technically strapped to a "ghost" account that, when needed, can be invoked and authenticated to for the specific purpose and then have it revert to the standard user. Alternatively, a new user type that is for SA accounts that is somehow made inconvenient to use as a "daily driver" user and is free or very cheap and separated from regular users such that all Google-adjacent tools don't count those as active users for licensing purposes. The pair of goals I am after is forcing/encouraging proper separation of user and administrative accounts without requiring paying double for each admin user, and establishing something more like actual-user licensing vs flat user count licensing. Properly-used SA accounts shouldn't be using much Google resources WRT Mail and calendaring but might WRT storage since it is probably better to transfer exited user data that doesn't have a defined new owner to SA rather than some human who gets their storage cluttered. The link I shared is to the feature request "Idea Exchange". If you don't have access, you should open a support ticket to get access. These forums are great for discussion but feature requests here are not in the official queue for consideration AFAIK so might as well be reddit WRT to getting the desires to actual PMs/Devs.

Joe_The_Dragon

Well at the very lest you can have an backup admin as an free user. (Not one that can make all api calls)