Don't use the same model (table) for Admin and User

[sheerun]

For an attacker it's easier to change user.admin = true (for example when application doesn't use strong_parameters or whitelisted attributes), then add new Admin record.

Besides, when Admin and User are on the same table, STI is used, which sucks.

[teamon]

.. and this will give you false feeling of security ...

[jandudulski]

Agree with @teamon, using dumb tricks doesn't improve security.

[sheerun]

You missed part about STI. And this is not dumb trick, I gave you specific example.

[teamon]

If you have only admin? on User class there is not STI. Following this way of thinking we should put everything in separate tables, like account.owner_id = my_id and others. user.admin = true is not a special case here.