I've had a couple of Site owners that want to use a service account (a.k.a. faceless-account or shared logon) as a Site Administrator. This way anyone who knows the account can logon and go to town. Am I the only person who sees the security and accountability danger in this?
Here's what I recommend to those who want to use a service account as a Site Admin:
Using a service account is not recommended as it is a security risk. Give the account Publish rights and/or Project Leader to each Project if you want a “super-user” account.
While that may not be ideal it's still better than Site Admin.
I also like to see only 2 or 3 Site Admins per Site, no more. Too many admins can bring about inconsistencies and cause issues, particularly around permissioning. Thought really needs to be given as to why someone should be give Site Admin rights.
I also recommend that a Site Admin be someone who is not a contractor, that they should be a full-time/permanent employee. Again, this takes into consideration security and accountability.
So what have some of you done? What rules do you have for Site Admins...or do you?
In our environments, site admins need to use their own accounts - no exceptions. I really don't want to have to chase IP's from the HTTP requests in order to work out who has done what when there are issues.
Service accounts are used for scripting/automation purposes only.