upvote

points

by cj7 hours ago |
comments
upvoteby ValentineC7 hours ago|
next
[-]
> Using a Google Workspace Super Admin account for your non-admin day to day needs is similar to using your AWS root account instead of IAM users.

It sounds like the mistake here is not appointing another Super Admin, and making sure they don't use their account for day to day needs. Or just having two Super Admin accounts controlled by the same person, heh.

I can't see how not using one's Super Admin account wouldn't prevent tripping some kind of fraud lockout that's impossible to recover from.

Randomly, I just remembered that I lost a GCP account because I tried logging in from Laos, and they asked me for the front and back photos of a payment card that I used ages ago that I didn't bother making scans of before it was lost. Urgh.

reply
upvoteby pfooti5 hours ago|
parent|
[-]
Make a primary super admin (admin@ whatever) and only log into it for admin purposes. Make an actual user (you@) for day to day line of business work. This has the benefit of making some categories of spear phishing and xsrf attacks harder if the account that gets compromised doesn't have root.
reply
upvoteby ValentineC5 hours ago|
parent|
[-]
That's what I've been doing.

It doesn't address this thread's concern that a single Super Admin could be locked out with no recourse, since Google's customer support is horrendously bad.

reply
upvoteby e405 hours ago|
prev|
[-]
So you're saying for a simple setup of 1 user, you really need to pay for 2 users. The admin account and the real user you want to use, which doubles the cost.
reply
upvoteby cj3 hours ago|
parent|
[-]
In an ideal world, 3 users, because you want a backup admin in case your primary admin is lost.

I don’t love it either, but these are Google’s published best practices / recommendations

reply