Least Privilege for Google: Temporary Admin Roles

7 months ago
Written by
Fouad Matin
@fouadmatin
Elsie Phillips

Every email, document in drive, and calendar – downloaded.

All groups, drives, and users – deleted.

Google Workspace Super Admin users have an incredibly powerful set of permissions that can turn into a major catastrophe from a single phishing attack or accident.

They can effectively do anything within a Google Workspace setup, including remove and lock out other Super Admins.

“Too many Google Super Admins is like having too many cooks in the kitchen. It can create a lot of chaos and confusion, and can impede the ability of IT to properly manage data and security protocols. It also makes it difficult to ensure that all users follow the same best practices and policies, leading to a lack of consistency across the organization. Just making sure all of them have 2FA can be hard enough.”

— Head of IT, 500-1000-person Financial Services Startup

Managing admin roles has been an entirely manual or custom-implemented process. Often, most of the IT team ends up accumulating admin roles like Super Admin to do basic everyday tasks.

Or they set up provisioning with Okta, just to find that it’s not possible to set admin roles — you need to use Okta Workflows or another workflow automation product to do that.

Unfortunately, they only support “makeAdmin” which will make a user a Super Admin permanently because there’s no remove or “unmakeAdmin” action.

Least Privilege for Google Admin Roles

We’re excited to announce Temporary Google Admin Roles. Teams can get time-bound admin and super admin privileges in Google Workspace via Slack, Indent.com, or the Indent browser extension — eliminating the need for too many Super Admin users.

With the ability to grant admin access that auto-expires, organizations can all but eliminate persistent admin or super admin privileges. This reduces their organization’s potential attack surface, risk of unintentional changes, and abuse of privileges.

It’s perfect for:

  • Speeding up onboarding and common helpdesk issues like password reset
  • Temporarily elevating privileges for non-IT teams (e.g. Security or HR)
  • Allowing junior IT admins to borrow access routinely as needed
  • Giving temporary admin access to IT or security contractors
  • Automatically generating logs for security and compliance purposes

“Having a tool like this would have made all the difference as we scaled from 500 > 3000 users and got acquired into a public company. Compliance & access control became more granular and important than ever”

— Adnan Alam, IT at PlanetScale, former IT Manager at GitHub

Try it Out

Want to see the workflow in action? Check out this interactive demo:

Set-Up Temporary Admin Roles

Ready to get started? You can either get a personalized demo and onboarding from our team or get started on your own.

To get this set up you’ll need super admin privileges in a Google Workspace account. From there you’ll:

Try Indent for free.