This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Cloud Identity user as Super Admin

Posted on 12-11-2023 10:59 PM
memdump
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Problem

I've created a new, free Cloud Identity user (e.g. cloudadmin@domain.com) in Google Workspace and assigned this user Super Admin privileges.

I understand that upon adding a new user in Google Workspace, you can designate a "secondary email" for sign-in instructions. You can also Send billing and account notifications to another admin (https://support.google.com/a/answer/7437937). I plan on designating another email address for each of these cases. However, initially at least, notifications regarding any changes made to the account (e.g. 2SV, recovery phone/email) will still be sent to the Cloud Identity user's email address.

Since Cloud Identity users do not have Gmail, my initial thought was to create a Google Group (e.g. cloudadmingroup@domain.com) that will act as this user's email inbox and then create a routing rule that reroutes all emails addressed to the Cloud Identity user to the Google Group.

  • Gmail Routing Rule: cloudadmin@domain.com -> cloudadmingroup@domain.com

At least one existing user account with Gmail access will need to subscribe to the group to receive any account-related emails.

Goal

The goal is to transition both of my existing, licensednon-Cloud Identity  Super Admin users to Cloud Identity accounts with Super Admin privileges, and then remove Super Admin privileges from the licensed accounts.

Final Thoughts

My personal opinion is that using Cloud Identity users as Google Workspace Super Admins makes sense, however, my concern lies with the fact that Cloud Identity users do not have access to Gmail. Because I don't want to miss any messages that are sent to the Cloud Identity user's email address, routing these messages to a "Super Admin Google Group" will be used to capture them.

  • I would like to have ALL of my Super Admin accounts be Cloud Identity users
  • Each Super Admin user will have a Google Group to receive emails regarding their account
  • Each Super Admin will have one free Cloud Identity Super Admin account and one licensed non-admin account
  • At least one licensed, non-admin account will need to be subscribed to the Google Group in order to receive account notifications in Gmail (ideally, these will be the licensed, non-admin accounts of each Super Admin)

Is there anything inherently wrong with or any potential pitfalls to this approach that I might be missing?

Ultimately, this is to comply with Google's documentation regarding Security best practices for administrator accounts (https://support.google.com/a/answer/9011373)

0 1 458
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
christiannewman
Gold 1
Gold 1
Reply posted on --/--/---- --:-- AM

I understand and appreciate the cost-efficiency concerns.

However, without Gmail or Calendar access, there are certain functions your Cloud Identity super admins won't be able to perform, either in the GUI, or via the API (just one of many examples is transferring calendar events on behalf of users). 

The implications go beyond mail delivery.

The number of super admins relative to the number of user accounts is normally quite small; therefore, I recommend simply licensing them for Google Workspace (if not all at least one - the primary administrator).

0 Likes
Top Labels in this Space
Top Solution Authors
View all