If your small business uses Office 365 or other proprietary software, you need someone to handle administrative (admin) permissions. In many organizations, admin accounts fall to IT, but if you don't have an internal IT professional, you'll need someone in-house who can handle this task.
Here, we'll focus on admin permissions for Office 365, because it is one of the most common business software suites, but much of the advice here is applicable to anyone responsible for admin accounts across other software applications.
What are admin permissions?
Admin permissions allow the designated employee to handle administrative tasks relating to a software application's use. In Office 365, the admin can add or delete people to the account, retrieve or reset passwords, and fix problems that come up, like synching OneDrive cloud accounts between computers or users. Essentially, the admin holds the "keys" to the system.
Phillip Dennis, principal with Watkyn LLC, a firm that specializes in business information systems, explained there are many different kinds of administrators in the Office 365 environment. Global admins possess all account privileges, whereas compliance admins, security admins, billing admins, password admins, user management admins and service admins have powerful permissions limited to specific areas. There can also admins for specific applications, such as a SharePoint admin and an Exchange admin.
What do admins do?
It is your admin who keeps the company running smoothly and productively, said Dennis. For example:
- Admins keep people productive. They create user accounts and provide credentials for new employees. Admins ensure that current employees are up-to-date on any permissions they need to complete tasks.
- Admins maintain security. These people are often tasked with setting up the IT security and compliance policy, such as setting password and multifactor authentication policies, data loss prevention policies, and many other aspects of security and compliance. Security also encompasses eliminating permissions to certain databases or files for employees when they move off a task or leave the organization.
- Admins control costs. Many web services charge on a per-user basis and have other fees for storage and overage use that must be monitored. A good administrator helps an organization control its costs by deleting unneeded user accounts and monitoring usage.
How to choose the right admin
Because of the control they have, choose your admin carefully. A Ponemon Institute and Keeper Security study – the "2017 State of SMB Cybersecurity" – found the leading root cause of a data breach was a negligent employee or contractor. For that reason, only trusted, conscientious and technically competent employees should be considered for this role.
As a further safeguard, at least two people should be given access to admin permissions – you want to make sure there is always someone available who has admin permissions. (You don't want to give so much power to one individual.) You may want to consider one person in different departments. Admins should be comfortable with the technologies your company uses and willing to learn new technology as it is introduced.
Your admin should be fluent in the basic terminology (and functions) of the admin permissions environment, including:
- Admin or administrator: The person with full access to the system and its settings.
- Sharing or delegated access: The different ways admins can grant access to others.
- Groups and members: Limited employees with certain access permissions designated by the admin so the employee can collaborate on specific projects.
- Access control: Resources are only granted to those users who require them.
- Least privilege: Allowing for the least amount of permissions required for an employee to perform their intended function.
- MFA: Setting up an authentication system that requires users to follow multiple steps to access files, such as a password plus a token or a code sent via text.
Mitch Rosen, senior solution engineer for Keeper Security, offered the following tips that every admin should know about permissions:
- Depending on what the admin account is for, it can be used to create other accounts, set permissions for users and services, and delete everything, if desired or necessary. Admin functions are powerful and should be treated as such.
- Instead of using the admin account for your personal activities, use your own user account and only invoke the use of the admin account when your personal account doesn't have the permissions to complete the task you desire to accomplish.
- Don't share admin accounts if you don't need to.
- Don't leave admin credentials lying around for anyone to find.
- Don't email passwords or leave passwords on a sticky note that the cleaning people may find. And don't be naive enough to think that your college intern doesn't possess the skills to circumvent your password on the spreadsheet file stored on the shared drive.
Why admin permissions are important
"Most companies have important information, some have intellectual property or even data that requires safe keeping by compliance and regulations," said Luca Jacobellis, president of Cal Net Technology Group, an IT services company. "If that data gets out, it can hurt your reputation, or, worse, have legal implications."
Having a basic understanding of admin permissions allows you to choose the right person for this critical responsibility and will provide a layer of security for your organization's data.