← All controls

6 Super-admin separation & minimal count

Super admin is the tenant's root privilege: it can read any mailbox, reset any password and unwind any setting on this list. This control caps the number of super admins at a handful and — the part that matters more — moves the role onto dedicated admin-only identities with no mail flow and no third-party OAuth grants, so an admin's daily phishing exposure is not also the tenant's. Everyday accounts drop to the narrowest prebuilt delegated role that does their job.

Caveats

Setup steps

  1. open ↗ Account › Admin roles › Super Admin
    Super admins
    2–4 named humans, no more

    Assign specific admin roles ↗

  2. open ↗
    Admin console screen — Directory > Users (create the separate admin identity; verify no daily-driver account is an admin)

    https://admin.google.com/ac/users · captured 2026-07-15

    Directory › Users

    admin-<name>@<domain>, no mail flow, no third-party OAuth grants

    Make a user an admin ↗

  3. open ↗ Account › Admin roles
    Daily accounts
    delegated role only
    Super Admin
    admin-* identities

    Prebuilt administrator roles ↗ Remove Google Workspace administrator privileges ↗

  4. Account › Admin roles › <role> › Admins

    Roster exported and dated

Ongoing maintenance

How to verify

  1. Count the super admins and check they are dedicated admin-only identities (no mail flow, no OAuth grants).

    gam print users query "isAdmin=true" fields primaryEmail,lastLoginTime
  2. The list should be 2–4 accounts, every one a dedicated admin identity — a daily-driver mailbox in this list is the finding.

v0.1.2Prevent policy #4 · #28 ↗