What’s the recommended number of highly privileged users for Office 365, G Suite, Atlassian, GitHub?


When people think of excessive privileges, SaaS solutions are rarely on their mind. Many organizations end up with excessive numbers of highly privileged users in SaaS solutions.

In fact, the Australian Signals Directorate doesn’t even mention SaaS in their often quoted ASD Essential Eight guide. That guidance is as follows [1] “Users with administrative privileges for operating systems and applications are able to make significant changes to their configuration and operation, bypass critical security settings and access sensitive information.”. All these risks apply when you store and transact your data in SaaS solutions. It is important to adopt a least privileged model to ALL privileged access which includes your SaaS footprint.

Is it possible not to have any privileged users?

In order to implement a least privilege model in not only an organisation but also an individual SaaS solution, it is important to first understand the minimum number of highly privileged users you need. It is unwise to have only a single highly privileged user in any one SaaS solution. That staff member might resign, have an accident or simply forget their access credentials, leaving the business exposed to operational and availability risks.

It is prudent to have at least two highly privileged users per SaaS solution to eliminate the above risks and use delegated privilege user roles for most administrative activity.

How do you end up with excessive privileged users?

Many organizations, instead, end up with excessive numbers of both highly privileged and privileged users in SaaS solutions containing business critical and customer sensitive data. This can occur when staff change roles or need elevated privileges for a short time and access rights are not regularly reviewed as part of BAU operations. Another common reason for excessive privileged users is department managers or C-suite executives who hold onto these rights when not needed for oversight or control purposes.

Now that the decision has been made to manage the count of privileged users in SaaS, it’s worth taking a look at the major SaaS providers’ recommendations:

  • Microsoft Office 365 - minimum two, maximum four “Global administrators”
  • G Suite - minimum two “Super Administrators”
  • Atlassian - minimum two “Site Administrators”
  • Salesforce - at least one “System Administrator”

In addition, some SaaS solutions fix the number of highly privileged users you can have:

  • Zoom - a single Owner only with multiple Admin accounts
  • Box - a single Admin only with multiple Co-Admin accounts

This a mixed bag of options and recommendations, so it’s worth establishing a baseline.

So what are Detexian’s recommendations?

Detexian recommends, for most SaaS solutions, between two and four Highly Privileged Users per SaaS. If your organization is geographically diverse (i.e. live / work in different cities), then two is likely correct. If you staff live in the same city and work in the same building, it is appropriate to have more highly privileged users to reduce the availability risk.

If the SaaS solution supports privileged users to do delegated tasks, then these should also be restricted to two to four per role as requested.

For SaaS solutions that only support a single admin or owner account, Detexian’s best practise advice is in line with AWS guidance for the root account:

  1. Use an email address linked to a group of users or shared mailbox rather than an individual user to set up the master admin / owner account.
  2. Use a very strong password for the master admin / owner account and enable MFA for this account. We recommend email based MFA if possible or otherwise a shared / on-call mobile.
  3. Join two to four individual users and assign them the delegated admin roles available in the SaaS.
  4. Store the master username and password in a vault and do not use this account for BAU administrator functions. Only use this account to move privileges around.

Find out how many privileged users you have in each SaaS in minutes and keep track of changes at all times. Inquire now for a free demo.

[1] https://www.cyber.gov.au/publications/restricting-administrative-privileges

Secure what you can't see in the cloud

710 Collins Street
Melbourne VIC 3008
9848 Mercy Rd #2
San Diego 92129

Get the latest information about SaaS security misconfigurations

Copyright Detexian 2020 All Rights ReservedTerms & ConditionsPrivacy Policy