🛡️ Google Super Admin Email Address is tied to a single user🟢⚪
- Contextual name: 🛡️ Super Admin Email Address is tied to a single user🟢⚪
- ID:
/ce/ca/google/iam/super-admin-email-not-tied-to-single-user - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Description
Description
Assign the Google Workspace or Cloud Identity Super Admin role to a dedicated administrative account, such as
gcp-superadmin@company.com, rather than to an individual user's email address.Rationale
Super Admin accounts have broad administrative authority over Google Workspace, Cloud Identity, and organization-level settings. Using a dedicated account reduces dependency on a single employee, separates privileged administration from day-to-day user activity, and supports stronger controls such as hardware security keys and restricted session policies.
Impact
Creating a dedicated Super Admin account requires coordination with Google Workspace or Cloud Identity administrators. Existing individual user accounts should be removed from the Super Admin role after the dedicated account is configured and validated.
Audit
From Google Admin Console
- Open the Google Admin Console at https://admin.google.com.
- Go to
Account>Admin roles.- Open the
Super Adminrole.- Review the assigned users.
... see more
Remediation
Remediation
From Google Admin Console
- Open the Google Admin Console at https://admin.google.com.
- Go to
Directory>Users.- Create a dedicated Super Admin account.
- Configure strong authentication for the dedicated account, such as 2-Step Verification with a hardware security key.
- Go to
Account>Admin roles.- Open the
Super Adminrole and assign it to the dedicated account.- Remove individual user accounts from the
Super Adminrole after confirming the dedicated account works as expected.
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS GCP v5.0.0 → 💼 1.1.1 Ensure Super Admin Email Address Is Not Tied To A Single User - Level 1 (Manual) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 General Access Controls | 23 | no data |