Product Tip Tuesday: Beware of Too Many Super Admins

This week’s product tip is one of our favorites—reducing unnecessary super admin privileges.

Super admins are users who have full access to all system administrative controls in native SaaS admin consoles. It’s like “God Mode” for SaaS apps.

Because super admins can access and manipulate every part of your organization’s SaaS applications, it’s important to keep the number of super admins in your environment to a minimum.

Implementing the principle of least privilege is a security best practice. It depends on the size of your org, but we generally recommend having a total of three super admins in order to mitigate risk. We’ve seen that most organizations actually have 13-19 super admins in each SaaS app. This is a security risk. Each additional super admin presents more entry points into your environment and more opportunities for dangerous human error.

The trouble with many SaaS applications is that they natively lack granular access roles, which contributes to the problem of having too many super admins. Very often, users will request elevated access for a task or project. They may not need super admin access, but IT often has no choice given the lack of granularity, and the user ends up retaining excessive access for longer than necessary. Luckily, BetterCloud gives you the tools to fight this problem.

The first step to remediation: assign granular access

BetterCloud allows you to delegate roles that are more granular than those available natively within the applications. This ensures that users only have the level of access they need and eliminates the problem of granting super admin access to anyone who needs a little more access.

What’s key is delegating the least amount of access people need to do their jobs—aka enforcing the model of least privilege. With BetterCloud, you can assign granular create/edit/delete/view privileges related to users, groups, OUs, files, calendars, and other SaaS data.

Taking it one step further: create an automated super admin policy

Beyond creating granular access roles, you can set up alerts that tell you when the number of super admins in your environment exceeds a set number, which then triggers a remediation workflow.

For example, this workflow below will automate the process of revoking super admin access from any users who have been granted those privileges and exceed the threshold of your alert. Once the privileges have been revoked, the primary IT admin will be notified via Slack. Here’s what this looks like in BetterCloud:

For more information on this use case, check out this article in our Help Center!