Your Google Apps Super Administrator is, hands down, the most powerful user in your system. While this may seem obvious, most companies haven't thought about the practical implications of that fact.
If you're like many businesses, you've assigned the Super Admin role to one or more of your everyday admins, and they perform their Super Admin roles from their standard admin account. But this is actually a very dangerous move. Read on to learn more about the power of the Super Admin role, and why it's so vital to reassign it if you've lumped in Super Admin privileges with an everyday account.
Google Apps is full of powerful admin roles, which each serve different functions. The Reseller Admin, for instance, specifically manages resold customers. A Services Administrator handles products and devices that you've enabled to work with your Google Apps account. Help Desk Admins can reset passwords for non-admins and view user profiles. Groups Administrators manage Google Groups.
The User Management Administrator is perhaps the most versatile account type, short of the Super Admin. The User Management Admin manages accounts for non-admin users, and can rename them, change their passwords, create and delete user accounts and so on.
It may seem tempting to give Super Admin privileges to the account that handles User Management to your company -- after all, if your trusted admin is already handling user accounts, why not put a little more on their plate? But that doesn't seem like as tempting of a strategy once you understand the full power of the Super Admin role.
Your Super Admin essentially holds power over all other admins in your system, and wields remarkable power over your company's Google Apps as a whole. On the most basic level, a Super Admin administers other admins' accounts -- giving and revoking admin access, resetting administrators' passwords, and so forth. And if an User Management Admin accidentally deletes a user account, only the Super Admin can restore it.
But the power of a Super Admin goes far beyond this. For instance, a Super Admin can create and modify the organizational units that provide Google Apps access and privileges to users. The Super Admin can also search through an organization's email logs, and can modify your billing options for its Google Apps account.
It should be clear that the Super Admin's role is incredibly powerful, and not quite like the privileges given to any other Google Apps admin. An inexperienced Super Admin, or a simple error made by a Super Admin account, can do a lot of damage. And if your business' Super Admin account gets hacked, the results will almost certainly be devastating.
Most savvy Linux admins know not to use a superuser account for their everyday needs. The risk of doing accidental damage to your system is too great, and if your superuser account gets hacked, you're in trouble.
For that same reason, you shouldn't give a Super Admin privileges to an account one of your users logs into every day. It's too powerful, and there's too much of a risk for errors at best, or mischief at worst.
Instead, give Super Admin privileges to a special account, which isn't logged into for any other purposes. Make sure this account's username and password are carefully secured, and that only a few highly trusted admins have access to that information. Make sure to change this account's password regularly, just as you would any other accounts' passwords.
Google advises that you not give Super Admin privileges to any user, unless they've been serving as an admin for a Google Apps account for at least six months. This may not be an option, depending on the size or age of your company, and the waters get muddier when you consider that your Google Apps account must have at least one Super Admin. But that guideline should give you an idea of the level of trust you're giving someone, when you give them Super Admin privileges or access to a dedicated Super Admin account.
Your Super Admin is perhaps the most powerful user in your system, but due to the admin's highly specialized role, this power is easily overlooked. Don't make that mistake. Take your company's Super Admin positions seriously. Make a dedicated account for Super Admin use, and make sure that that account's information is carefully guarded. Otherwise, you put your company's security at serious risk.