Skip to content

Product Tip Tuesday: Beware of Too Many Super Admins

BetterCloud

April 9, 2019

2 minute read

ptt0408 howmanyadmins ftr

This week’s product tip is one of our favorites—reducing unnecessary super admin privileges.

Super admins are users who have full access to all system administrative controls in native SaaS admin consoles. It’s like “God Mode” for SaaS apps.

Because super admins can access and manipulate every part of your organization’s SaaS applications, it’s important to keep the number of super admins in your environment to a minimum.

Implementing the principle of least privilege is a security best practice. It depends on the size of your org, but we generally recommend having a total of three super admins in order to mitigate risk. We’ve seen that most organizations actually have 13-19 super admins in each SaaS app. This is a security risk. Each additional super admin presents more entry points into your environment and more opportunities for dangerous human error.

The trouble with many SaaS applications is that they natively lack granular access roles, which contributes to the problem of having too many super admins. Very often, users will request elevated access for a task or project. They may not need super admin access, but IT often has no choice given the lack of granularity, and the user ends up retaining excessive access for longer than necessary. Luckily, BetterCloud gives you the tools to fight this problem.

The first step to remediation: assign granular access

BetterCloud allows you to delegate roles that are more granular than those available natively within the applications. This ensures that users only have the level of access they need and eliminates the problem of granting super admin access to anyone who needs a little more access.

What’s key is delegating the least amount of access people need to do their jobs—aka enforcing the model of least privilege. With BetterCloud, you can assign granular create/edit/delete/view privileges related to users, groups, OUs, files, calendars, and other SaaS data.
A web interface displaying a form for creating a new role, featuring input fields labeled "Role Name" and "Description." Below these fields are sections dedicated to configuring privileges, with multiple checkboxes or toggle options for various permissions. Another section allows for assigning users to the newly created role, likely displaying a list of available users or search functionality to add specific individuals. The layout is structured and user-friendly, guiding administrators through the process of defining roles within an organization.

Taking it one step further: create an automated super admin policy

Beyond creating granular access roles, you can set up alerts that tell you when the number of super admins in your environment exceeds a set number, which then triggers a remediation workflow.

For example, this workflow below will automate the process of revoking super admin access from any users who have been granted those privileges and exceed the threshold of your alert. Once the privileges have been revoked, the primary IT admin will be notified via Slack. Here’s what this looks like in BetterCloud:
An alert configuration screen showing fields for Name, Description, Type, Alert Trigger Conditions, and Timing & Thresholds. A highlighted threshold value of 5 is circled in red within the Timing & Thresholds section.

Admin interface displaying a workflow rule for sending a direct message when the number of Super Administrators surpasses a set threshold. Fields are present to customize the message text, select senders, and choose from various emoji options, facilitating automated notifications within a defined framework.

For more information on this use case, check out this article in our Help Center!