To configure your Google Cloud organization resource, you need to use a Google Workspace or Cloud Identity super admin account. This page describes best practices for using your Google Workspace or Cloud Identity super admin accounts with your Google Cloud organization resource.
Account types
A Google Workspace super admin account has a set of administrative capabilities that includes Cloud Identity. This provides a single set of identity management controls for use across all Google services, such as Docs, Sheets, Google Cloud, and so forth.
A Cloud Identity account only provides authentication and identity management functionality, independent of Google Workspace.
Create a super admin email address
Create a new email address that is not specific to a particular user as the Google Workspace or Cloud Identity super admin account. This account should be further secured with multi-factor authentication, and could be used as an emergency recovery tool.
Designate Organization Administrators
After you have acquired a new organization resource, you designate one or more Organization Administrators. This role has a smaller set of permissions that are designed to manage your day to day organization operations.
You should also create a private Google Cloud administrator group in your Google Workspace or Cloud Identity super admin account. Add your Organization Administrator users to this group, but not your super admin user. Grant this group the Organization Administrator IAM role or a limited subset of the role's permissions.
We recommend keeping your super admin account separate from your Organization Administrator group. As a super admin, you can grant the Organization Administrator role to the appropriate user best positioned to manage the organization resource and its contents.
For information about managing access control for your organization resource using Identity and Access Management policies, see Access Control for Organizations using IAM.
Set appropriate roles
Google Workspace and Cloud Identity has administrative roles that are not as permissive as the super admin role. We recommend following the principle of least privilege by granting users the minimum set of permissions they need to manage users and groups.
Discourage super admin account usage
The Google Workspace and Cloud Identity super admin account has a powerful set of permissions that are not necessary for use in the daily administration of your organization. You should implement policies that will secure your super admin accounts and make users less likely to attempt to use them for day-to-day operations, such as:
Enforce multi-factor authentication on your super admin accounts as well as all accounts that have elevated privileges.
Use a security key or other physical authentication device to enforce two-step verification.
For the initial super admin account, ensure that the security key is kept in a safe place, preferably at your physical location.
Give super admins a separate account that requires a separate login. For example, user alice@example.com could have a super admin account alice-admin@example.com.
- If you are synchronizing with a third-party identity protocol, ensure you apply the same suspension policy to Cloud Identity and the corresponding third-party identity.
If you have a Google Workspace enterprise or business account or a Cloud Identity premium account, you can enforce a short sign-in period for any super admin accounts.
Follow the guidance in the Security best practice patterns for administrator accounts.
API call alerts
Use Google Cloud Observability to
set up alerts that will notify
you when a SetIamPolicy()
API
call is made. This will send an alert when anyone modifies any IAM
policy.
Account recovery process
Ensure that the Organization Administrators are familiar with the super admin account recovery process. This process will help you recover your account in the event that super admin credentials are lost or compromised.
Multiple organization resources
We recommend using folders to manage parts of your organization that you want to manage separately. If you want to use multiple organization resources instead, you will need multiple Google Workspace or Cloud Identity accounts. For information about the implications of using multiple Google Workspace and Cloud Identity, see Managing multiple organization resources.