Shawn is right with his recommendation, and I can even add that if you download and install the GPPT for a 30-days trial, you’re going to make your life much easier to analyse all the pitfalls of GP Security… Right during installation, GPPT asks you if you want to create the SUPERUSER role in GP, which is not identical to POWERUSER, as it is a regular GP role, but provides access to everything.
GPPT does also have a nice function that allows you to build Security Roles & Tasks on the fly by just recording the resources a user goes thru during their activities. This way you can create really tight & custom security for GP.
In general, the default role IT_MANAGER* already provides a decent role to start with and allows management of user security in GP. Remember to assign those SQL users also specific SQL Security role ‘SecurityAdmin’ to be granted permissions to create user and reset passwords in GP.
The most recen tbuild of GP also added a Security Workflow, which prevents users to create / grant accesses without being supervised and approved first by upper authority in the company. That is a welcome safeguard that was missing in GP for years, as any sys admin could just go ahead and grant themselves or other users full access, without going much detected for a while (and this implies there are some external controls taking place on a regular basis).
Feel free to reach out if you need more help.