Should admin user be visible to regular users

Question

When building a system, where all users belong to the same organisation, should regular users be able to see admin users?

On one hand one could argue that there is no need for this information to be hidden. That regular users would benefit on knowing what accounts have admin privilege since they then knows who to ask for admin help. Hiding admins is only a form of unnecessary 'security by obscurity'.

On another hand one could argue that any information about admin users should be withheld. All info on admin users should follow the principle of least privilege.

How do you reason about this?

Answer 1

What can you do when the only information you have is a username ? You can conduct a brute-force attack in the hope of finding the password. So you should have 1) a strong password and 2) a mechanism to detect and thwart attacks. Why not add 3) 2FA is the stakes are high enough.

One possible strategy would be to have multiple levels of access rights. For example you could have a public helpdesk user with limited rights, and another, unpublished user account (preferably not one that is predictable/easy to guess) with admin rights to work behind the scenes.

In this setup the users will always interact with the helpdesk account and never with the admin, that they don't know. Thus, even if the helpdesk user account is compromised, the damage is contained.

That means your application has to have a feature for hiding accounts somehow. I would weigh the pros and the cons. If you have to tweak an existing architecture a lot to achieve this goal, this may not be worth it. When it comes to security, simplicity is better than complexity. That means don't break stuff to fix a mundane problem.