To configure your Google Cloud organization resource, youneed to use a Google Workspace or Cloud Identity super admin account. Thispage describes best practices for using your Google Workspace orCloud Identity super admin accounts with your Google Cloud organizationresource.

Account types

A Google Workspace super admin account has a set of administrativecapabilities that includes Cloud Identity. This provides a single set ofidentity management controls for use across all Google services, such as Docs,Sheets, Google Cloud, and so forth.

A Cloud Identity account only provides authentication and identitymanagement functionality, independent of Google Workspace.

Create a super admin email address

Create a new email address that is not specific to a particular useras the Google Workspace or Cloud Identity super admin account.This account should be further secured with multi-factor authentication, andcould be used as an emergency recovery tool.

Designate Organization Administrators

After you have acquired a new organization resource, you designate one or moreOrganization Administrators.This role has a smaller set of permissions that are designed to manage your dayto day organization operations.

You should also create a private Google Cloud administrator group in yourGoogle Workspace or Cloud Identity super admin account. Add yourOrganization Administrator users to this group, but not your super admin user.Grant this group the Organization Administrator Identity and Access Management (IAM) roleor a limited subset of the role's permissions.

We recommend keeping your super admin account separate from your OrganizationAdministrator group. As a super admin, you can grant the Organization Administratorrole to the appropriate user best positioned to manage the organization resourceand its contents.

For information about managing access control for your organization resourceusing allow policies, seeAccess control for organizations using IAM.

Set appropriate roles

Google Workspace and Cloud Identity has administrative roles thatare not as permissive as the super admin role. We recommend following theprinciple of least privilege by granting users the minimum set of permissionsthey need to manage users and groups.

Discourage super admin account usage

The Google Workspace and Cloud Identity super admin account has apowerful set of permissions that are not necessary for use in the dailyadministration of your organization. You should implement policies that willsecure your super admin accounts and make users less likely to attempt to usethem for day-to-day operations, such as:

• Enforcemulti-factor authenticationon your super admin accounts as well as all accounts that have elevatedprivileges.

• Use a security key or other physical authentication device to enforce two-stepverification.

• For the initial super admin account, ensure that the security key is kept in asafe place, preferably at your physical location.

• Give super admins a separate account that requires a separate login. Forexample, user alice@example.com could have a super admin accountalice-admin@example.com.

  • If you are synchronizing with a third-party identity protocol, ensure youapply the same suspension policy to Cloud Identity and thecorresponding third-party identity.

• If you have a Google Workspace enterprise or business account or aCloud Identity premium account, you can enforce ashort sign-in period forany super admin accounts.

• Follow the guidance in thesecurity best practice patterns for administratoraccounts.

API call alerts

Use Google Cloud Observability toset up alerts that will notifyyou when aSetIamPolicy() APIcall is made. This will send an alert when anyone modifies any allow policy.

Account recovery process

Ensure that the Organization Administrators are familiar with the super adminaccount recovery process.This process will help you recover your account in the event that super admincredentials are lost or compromised.

Multiple organization resources

We recommend usingfolders to manage parts of yourorganization that you want to manage separately. If you want to use multipleorganization resources instead, you will need multiple Google Workspace orCloud Identity accounts. For information about the implications of usingmultiple Google Workspace and Cloud Identity, seeManaging multiple organization resources.