Superusers

A superuser has implicit Owner permission for all objects. Superusers have no security restrictions. They are allowed to do anything in the system.

Superusers can manage objects that have no owners. For example:

• An owner of an object is on vacation, leaves the company, or is otherwise unreachable.
• An owner of an object removes himself from the Owner permissions and saves the object. From then on, the object has no explicit owner.
• A group had been granted Owner permission for an object. The group initially had two users. Over a period of time, the two users left the company, and each one got removed from that group. The object's permissions were unchanged during this time, but effectively it has no owner.

All superusers are users in the Administrator authentication realm. For example, for the LDAP realm, users must be present in the LDAP server. If a superuser is deleted from the LDAP server, the user loses superuser privilege only in the next login session. A current login session still treats the user as a superuser.

Because of the potential for a rogue superuser to vandalize the system, exercise caution when assigning the superuser role to a user or creating superuser groups.