Overview
SU accounts are special accounts used for privileged/administrative role access to many services. They are separate from normal daily activity accounts to allow additional restrictions on access and to reduce the potential for account compromise through common attack methods like phishing email.
Note: creation of this separate account does not automatically assign role access. Additional steps are required to set permissions on the new account. Click here to submit an Identity and Access Management ticket after account creation.
An SU account is a normal account marked as non-personal and added to the iam-account-type-privileged security group. It has an "su-" prefix to allow it to be easily identified in audit logs and role/permission checking. There are also automated processes which alter email auto-forwarding, mailbox sizes, and more.
- To create the account, lookup the owner in Toolbox and start the account creation process as normal.
- Select "custom" for the username and enter "su-<username>".
- The <username> must match the primary employee account to ensure automated tasks complete properly.
- For example: jvandal = su-jvandal
- Select the "functional / shared" account Type option. This marks the account as non-personal (not an "individual" account)
- Set the Last Name to "Admin"
- This allows proper sorting in administrative tools and will ensure the account is not confused with the employee's normal daily work account.
- Set the First Name to the full user's name "Joe Vandal"
Example:
There is a nightly automated process that will set special Exchange Online attributes and initial non-role group membership. It is possible to also immediately add the new account to the iam-account-type-privileged group in Toolbox.
Warning: the nightly process looks for accounts which start with "su-", "net-" and "ad-" and will treat them as privileged even if they are not members of the iam-account-type-privileged group.