By default, administrator accounts in your organization have access to user content and activity records for Google Workspace services—for example, Gmail and Chat activity records in audit logs. As a super admin, you can help protect your users’ security and privacy by limiting admins only to those privileges that are required for regular use.
For example, you might want to limit the number of admins in your organization who have access to reports and audit logs, the investigation tool, the security dashboard, and the Meet quality tool. For instructions on turning privileges on or off for these services, see the sections below.
Security best practices for admin accounts
Super admins should use a separate user account for day-to-day activities. They should only sign in to their super admin account when they need to perform specific super admin duties. It’s also important for super admins to use 2-Step Verification (2SV)—preferably using security keys—because their accounts control access to all business and employee data in the organization.
For more details, see Security best practices for administrator accounts.
About admin roles and privileges
In the Google admin console, you can turn on admin privileges for specific users by assigning admin roles to those users. You can assign pre-built admin roles or custom admin roles. Similarly, you can turn off admin privileges by unassigning users to admin roles.
To help protect the security and privacy of your users, review the admin privileges in your organization for Reports, the Security dashboard, the Security investigation tool, and the Meet quality tool. See the sections below for more details.
Reports privilegeTo turn the privilege on or off for Reports, go to the Google Admin console, click Admin roles, click one of the roles in the left column, and click Privileges. The reports privilege is located under Reports.
As an administrator with the Reports privilege, you can view Reports to examine potential security risks, track who signs in and when, understand how users create and share content, track user activities such as document edits, and track changes made by other admins.
The Reports privilege also provides access to audit logs for Gmail, Chat, Meet, and Voice—as well as the audit logs for most other services. Admins can view information about the participants, as well as content such as meeting name and email subject, and records of each message or call.
To turn the privilege on or off for the security dashboard, go to the Google Admin console, click Admin roles, click one of the roles in the left column, and click Privileges. The security dashboard privilege (Dashboards) is located under Services > Security Center.
The security dashboard contains several reports with aggregate information derived from message content—for example, the number of emails that users classify as spam. For more details, see Use the security dashboard.
Super admins have automatic access to the security dashboard, and they can turn privileges on or off for delegated admins. See also Admin privileges for the security center.
To turn privileges on or off for the security investigation tool, go to the Google Admin console, click Admin roles, click one of the roles in the left column, and click Privileges. The security investigation tool privileges are located under Services > Security Center. When you assign privileges for the investigation tool, you can grant admins a range of different privileges that are appropriate for their role and duties.
Using the security investigation tool, admins run searches and view results that could contain sensitive content, such as the subject of an email or title of a document. Admins can view headers of Gmail messages, update or delete content from the investigation tool, and view Gmail message content to understand any risk that might be associated with a message.
Super admins have automatic access to the security investigation tool, and they can turn privileges on or off for delegated admins. See also Admin privileges for the security center.
To turn the privilege on or off for the Meet quality tool, go to the Google Admin console, click Admin roles, click one of the roles in the left column, and click Privileges. The Meet quality tool privilege is located under Services > Google Meet > Manage Meet Settings > Admin quality dashboard access.
The Meet quality tool reports on the quality of each instance of a meeting, including the meeting ID, duration, and number of participants. For more information about admin privileges for the Meet quality tool, see Track meeting quality and statistics.
Turn on privileges by assigning an admin role
Assign an admin role:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu AccountAdmin roles.
- On the left, click the role that you want to assign.
- Click Admins.
- Click Assign users.
- Find and select up to 20 users.
- Click Assign role.
Turn off privileges by unassigning an admin role
Unassign an admin role:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu AccountAdmin roles.
- On the left, click one of the custom roles in the list.
- Click Admins.
- Check the boxes for the admins for which you want to unassign the role.
- Click Unassign role.
- To confirm, click Unassign role again.
Add or remove privileges by updating a custom admin role
You can add or remove specific admin privileges for multiple users by updating a custom admin role. For example, if you don’t want a group of users to have the Reports privilege, you can remove that privilege from a custom role that you’ve assigned to those users.
Add or remove admin privileges in a custom admin role:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu AccountAdmin roles.
- On the left, click one of the custom roles in the list.
- Click Privileges.
- Check or uncheck the boxes for the privileges that you want to add or remove in the admin role.
- Click Save.
For example, to turn off the Reports privilege, uncheck the Reports check box. To turn off privileges for the security dashboard, go to the Security Center section and uncheck the Dashboards box.
Turn off privileges by deleting a custom admin role
To delete a custom admin role, you can't be assigned to the role or remove yourself. Contact another super admin to have them remove you from the role.
Turn off privileges for delegated admins by deleting a custom admin role:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu AccountAdmin roles.
- Click the custom role that you want to delete.
- Click Delete role.
- To confirm, click Delete role again.
For more details and instructions, see Create, edit, and delete custom administrator roles.
Related topics
For general information and instructions about admin roles and privileges, see the following help articles: