Skip to content

The Multi-SaaS Maelstrom: How Do You Give the Right People the Right Admin Privileges?


February 27, 2017

4 minute read

rbppost ftr

“Be careful who you give privileges to and to what degree. It makes sense to give the valet attendant your keys to park your car, but not to hand over your credit cards as well.”  

So writes Verizon in their 2016 Data Breach Investigations Report, and indeed, they bring up a salient point. Granting the optimal amount of access–to both IT and non-IT employees–in your environment can be tricky.

The Critical Importance of Finding the Right Balance

Giving employees more privileges than needed is a strict no-no. “If you hand out admin privileges like candy, it’ll come back to haunt you,” writes InfoWorld. “Every additional admin doesn’t just increase his or her own risk; if they’re compromised, they add to the takedown risk of all the others.” Accidental misuse of one’s privileges, to say nothing of deliberate, malicious abuse, is a glaring security risk.

But on the other hand, giving employees insufficient privileges is a hindrance to productivity. It slows things down, creates bottlenecks. If your sole super admin goes on vacation and nobody else has any type of administrative privileges, well then, you’re SOL.

All this to say: You need precision and accuracy when you assign privileges to employees. It’s critical for ensuring a high-performing IT operation.

New Hurdles Caused By Increasing SaaS Use

But if you use multiple SaaS apps in your environment, assigning privileges becomes a thorny process. First, you can’t view all your admin privileges across apps in one place.

Next, while every SaaS app must have a role that provides full access to the system (usually called a “super administrator” or just “administrator”), beyond that there is little to no consistency across applications in either terminology or levels of privileges offered. For example, there are Team Admins and User Management Admins and Support Admins (Dropbox); there are Owners and Admins (Slack); and then there are Administrators and Account Owners (Zendesk). Whew.

Plus, many of the less mature SaaS apps only offer binary options: super admin or end user, nothing in between. And there’s a reason why. These applications weren’t built with IT in mind. They were mostly built to help your organization work more effectively, which they do. But as adoption grows, the importance of correctly assigning privileges only increases.

Here are various administrative roles for several SaaS apps in the graphic below. When you see the full panoply of administrator options across them, how would you (for example) assign privileges to HR employees who only need a few admin privileges to onboard new users? What about new IT helpdesk employees? Are you really going to grant super admin access to them? You might not want to, but in some cases, that might be your only option.

An IT Shangri-la

There’s a better way to work: You can avoid this rigmarole. You can avoid granting more privileges than needed.

Imagine creating your own set of privileges from scratch. You’d start with a blank slate, like this (you may or may not have more rows depending on the types of SaaS apps you use):

And here’s what that would look like if you had super admin privileges:

That’s a lot of privileges. So imagine the ability to delegate specific privileges to different business units (across SaaS apps, no less). Let’s say you work at a large enterprise company that has a few thousand employees.

You could give your HR team only the ability to create, read, and update users, groups, and org units across multiple SaaS apps–nothing more–as they provision new employees. Their privileges might look something like this:

Let’s take your helpdesk as another example. Your helpdesk team would only have the ability to read and update (but not create or delete) users, groups, and org units across multiple SaaS apps. Their privileges might look like this:

Or take your security team for example. A security admin would only have the ability to read, update, and delete files, sites, calendars, and tickets, but not create anything. Their privileges might look like this:

The Future is Here

Imagine the ability to create customized, role-based privileges across multiple SaaS apps. Imagine a world where everyone had only the privileges they needed, and nothing more. If this sounds like some futuristic IT Shangri-la, well, it exists. This type of customizable, “built for IT” privilege management experience is exactly what we’ve built in BetterCloud’s recently launched Role-Based Privileges feature, part of our new multi-SaaS management platform.

Want to learn more and see for yourself? Request a personalized consultation with our team today.

We’ve spent the last two years building the first-ever true multi-SaaS management platform, which centralizes and automates the administration of SaaS applications, launching it in December of 2016. Expect more exciting announcements and functionality like this one throughout 2017 as we add on to the platform.