Best Practices for Determining Access Roles in Google Apps
November 19, 2014
6 minute read
Eli is Director of Customer Success at BetterCloud.
More than 5 million organizations around the world rely on Google Apps every single day. And at the core of every Google Apps deployment is someone responsible for overseeing its success. Whether you’re at a small business and the person in charge of administering Apps is the CEO or you’re part of a larger organization with a built out IT team, it’s vital to make sure the right people have the right level of access to ensure Apps’ long-term success and overall security.
After three years spent working with countless Google Apps administrators from both large and small organizations and everything in between, I’ve realized there’s always one constant – no matter organization size, administrative rights and access control always seems to be a concern. So, how do you determine and grant proper access control across your company and / or IT team? Let’s find out.
The Basics
Typically an organization will have more than one Super Administrator – usually the person responsible for setting up Google Apps initially. In a small company that’s likely the CEO and in a larger organization you might have a few Super Administrators like the person responsible for rolling out Google Apps and a few other senior level IT employees.
By default, Super Administrators have the highest level of access within the Google Apps Admin Console. Super Administrative rights allows a user to:
- Enable and disable services like Mail, Drive, Groups, Sites, Calendar, Contacts, Google+ and Hangouts
- Purchase additional Google services, like Google Drive for Work, Vault and others
- Install and purchase third-party applications from the Google Apps Marketplace
- Alter user information
It’s easy to see that Super Administrators have a broad range of access and control over a Google Apps domain and granting super administrative rights to too many or the wrong people can jeopardize the security and success of your Google Apps domain. Even when employees have only the best intentions, the possibility for human error is too great without proper training and control – precisely why you should avoid granting super administrative rights at all costs.
But, we understand that it’s not just the Super Admin who needs to control aspects of your Google Apps domain, which is why we’ve given FlashPanel customers the ability to easily create granular access controls. Before you create these roles however, it’s important to evaluate the current state of access across your domain and devise a plan to proceed.
Create a Plan for Success
Before granting any access roles, first follow these key steps:
1. AUDIT
Run an Audit of your domain’s current access roles to determine:
- How many Super Admins already exist
- If any of these existing Super Admins left your organization or changed roles
In order to audit access roles, you can either run a report through FlashPanel, which allows you to view all Super Admins across your domain.
Or, if you prefer, you view roles in the Google Apps Admin Console.
2. REVOKE
Revoke access to users with too many privileges:
- Determine whether or not you can demote certain Super Admins to more limited access roles
Real World Example: I’ve actually been on the receiving end of this action. When I first started with BetterCloud, I was a full Super Admin. As we grew, my responsibilities no longer required Super Admin access to the bettercloud.com domain. Using FlashPanel, our CEO was able to create a specific access role granting me only the permissions I need.
- Communicate changes clearly – explain to users who are losing rights that changes aren’t meant to be punitive, but rather are done in an effort to protect the security of the domain. You might look to specifically demote:
- Super Admins who have changed roles
- CEOs, VPs, Directors and Presidents who have no need for Super Admin rights
- Don’t be afraid to “over revoke” access. After all, it’s better to be safe than sorry and you can always re-grant Super Admin rights or delegate access control.
Pro Tip: Don’t hesitate to limit access to people in your organization who may be in a more senior role. There are plenty of CEOs, CTOs and even CIOs who have no business taking any actions in the Google Admin Console or FlashPanel. Just be sure to make it clear why and when you’re removing access. Good leaders will appreciate your proactive outlook towards security. And…if they resist, at least you have an “I told you so” email in your back pocket.
3. GRANT
Grant access to the proper people, with the proper roles and permissions.
- Using a third-party application like FlashPanel, you can create and grant granular access roles. But, when you do give access, make sure you’re giving only the amount absolutely necessary.
Pro Tip: Be sure to add yourself to all Org Units you create so that you can assume the roles yourself to ensure that you’ve granted the right permissions!
- Access you might grant includes:
- Ability to edit, create and standardize email signatures to Marketing
- Ability to run reports to HR
- Ability to reset passwords, manage groups, but not the ability to view or manage documents to your IT help desk
4. REPEAT
It’s important to evaluate access on a regular basis, after all people change roles, companies expand and employees move on. In addition to evaluating roles on a regular basis, you should:
- Deprovision anyone who leaves your organization in a timely manner. Properly deprovisioning a user through FlashPanel’s Deprovisioning Workflow will ensure all access is revoked.
- To help you remember to check access roles in your organization, set a recurring calendar reminder once a month.
Granting Access Roles at a Large Global Organization
If you’re working at a large organization, you may be on an IT team of 100, supporting a workforce of 50,000. The ability to grant granular access isn’t just nice to have, it’s essential to running an efficient IT Help Desk. For larger companies, consider setting up access controls by OU to make the process easier and more seamless. An example of access roles granted at a large global retailer might look something like the following:
Role | Access Granted |
Compliance | Domain-wide Super Admin Access |
IT Managers – by location | Super Admin rights over only users they manage in specific geographical regions / office locations |
Service Desk – by location | Reset passwords, bulk group management, email tools only for users in their specific location |
Administrative Assistance | Create / Share Resources across the domain |
Security / InfoSec | Domain-wide access: Audit all documents and third-party applications, fulfill security requests and respond quickly to incidents |
Onboarding – by location | Provisioning new accounts, group membership, edit nicknames, reset passwords only for users in their specific location |
How BetterCloud Grants Access Roles
At BetterCloud, we practice what we preach (precisely why our Super Admin long-ago revoked my super administrative rights). With 80 team members in two offices and a few remote employees, we utilize the following access levels (keep in mind we’re still a small company and our CEO and CTO are both uniquely suited to manage a Google Apps domain).
Role | Access Granted |
CEO, CTO, VP Marketing (first IT admin), Director IT | Full Google Super Admins |
Office Managers | Delegated Calendar Access, User Provisioning and Deprovisioning, Ability to add licenses, Suspend and delete users, Edit user profile contact information, Manage Groups |
Marketing Manager | Email Signature Management |
Controller, Data Analyst | Reporting |
End User View | Everyone in the company has access to the FlashPanel’s End User view feature so they can update contact information |
For more information on how to set up Access Roles in FlashPanel, check out this article.