Information Security
account-security
Updated Sun, 02 Oct 2022 06:50:11 GMT

Is it bad practice to have a 'super admin' - so they effectively bypass security checks in your system?


I have seen a few system designs in my time and one question keeps cropping up:

Is it bad practice to have 'super admin' - single user - or 'super admin' privileges in your system?

By that I mean giving one or many users 'super admin' privileges so they basically never see a "you do not have permission" error and are never prevented from doing anything in the system.

This is from a security standpoint mainly - If someone somehow managed to login to an account that has 'super admin' privileges (when they shouldn't have access) they could wreak havoc as they can change anything in the system

Solution

I would split my answer into two parts:

Super admin in general

When designing a system, you do not want to get into a situation where no one is able to access the system and manage it as needed, especially when an emergency is at hand.

On the other hand, you probably don't want a single entity to be able to manage and control all properties of the said system.

For this particular reason, many designs include this role but with a limited assignment.
This role is mostly assigned to either "non-personal" user account that its credentials are safeguarded by a quorum of trusted people.
Another option is to have this role assigned to multiple trusted users with an approval quorum to apply sensitive modifications.

Sometimes similar account is also created as a local account (in case the others are governed by an organization's centralized identity management platform such as Okta) to allow out-of-band access in case of emergencies.

Users assuming super administrative privileges at all times

Per security design principles, you want to avoid excessive privileges assigned to personnel.
Your system should support access packages and roles to bind for the specific actions they need to perform over your system.
Let them perform whatever operations they need, nothing else.

It doesn't necessarily mean you are giving them the key to your castle if they are system administrators. You can put senstive operations under additional security measures such as just-in-time access with an external supervisor to allow the grant, etc.

Comments (5)

  • +0 – Having a quorum could be a sensible option but.... do you have any real example of this actually being used in the wild? The only case I know regards nuclear launches which require multiple keys to be engaged at the same time, but I've never seen or heard of a software system which implements that kind of interaction. I guess it is complicated to handle so 99.99% of solutions use other options? — Sep 02, 2022 at 07:13  
  • +3 – @GACy20: A few examples I've seen are cryptography software which splits backups of the master encryption or signing keys using Shamir's Secret Sharing, e.g. Hashicorp Vault or various HSM appliances. — Sep 02, 2022 at 12:32  
  • +0 – @user1686 That's not really what I'm asking. Because in that case the quorum is built into the cryptography. I'm thinking of software where you have an action "A" (say: change role for user, or delete user) which, instead of simply executing the action for an administrator somehow "triggers" the request for further approval by other admins and when a certain quorum of approvals is reached the action A is performed. At least, this is how I've interpreted the description in this answer. — Sep 02, 2022 at 14:37  
  • +2 – @GACy20 In the fintech industry it is quite common actually, for instance in payment processing systems. There are such systems that allows you to define rules that enforce quorum supervision over execution of sensitive operations or significant payments. — Sep 02, 2022 at 17:32  
  • +2 – @GACy20, while not cryptography, code review before allowing merge to master branch seems like exactly the option you are asking for — Sep 03, 2022 at 06:37  

References