Delegate Administrator Roles in Chrome

Chrome for Business and Education

Chrome Devices

Overview
Manage Chrome devices
Enroll Chrome devices
Set Chrome policies for users
Manage device settings
Manage networks
Manage apps and extensions
View device information and organizational units
Wipe device data
Delegate Administrator Roles in Chrome
Manage Public Sessions on Chrome devices

If your organization needs multiple Chrome administrators, you can create administrator roles with Chrome OS privileges in the control panel. Administrator roles let you grant administrators access to settings they need while blocking access to settings they don't need.

With delegated administration in Chrome OS, you can grant users permissions specific to their roles, such as giving a teacher the ability to create new users and set passwords for students in his classroom, without giving him management access to all the devices in your school district. Likewise, with this feature, you can give a manager administrative access to configure the email settings of his direct reports, without giving him Super Admin permissions over your entire domain.

About Administrator Roles and Privileges

These settings give you more control of what other administrators in your organization can do. These settings can limit administrator access to specific Chrome OS tabs in the control panel, like the following:

Setting	What permissions it gives to delegated administrators
Manage Device Shipments	READ access to Shipments.
Manage Devices	READ and WRITE access to Devices.
Manage User Settings	READ and WRITE access to User Settings for the organizational units for which the administrator has privileges.
Manage Application Settings	READ and WRITE access to the Apps and Extensions section of User Settings for the organizational units for which the delegated admin has privileges. This is a subcategory of User Settings, so all admins who can manage User Settings can also manage Application Settings.*
Manage Device Settings	READ and WRITE access to Device Settings for the organizational units for which the delegated admin has privileges.
Manage User and Device Networks	READ and WRITE access to Networks for the organizational units for which the delegated admin has privileges.

*Use Manage Application Settings if you want to give a teacher the ability to preinstall and manage applications for his students without giving him access to all of the permissions under User Settings.

For more about delegated administration roles, see Administrator privilege details.

Setup

If you haven’t already, create organizational units in Google Apps. These can be groupings such as schools and classrooms, or business subsidiaries and offices.
Follow these instructions to grant administrator privileges to users in your organization.

Once you’ve assigned privileges, you can see which ones the user has been assigned, by clicking on her name in your Google Apps control panel. At the bottom of the Roles & Privileges tab, expand Resolved Privileges to see the privileges that user has.

If you choose a setting that isn't manageable by suborganization (such as Shipments), when you assign roles, you won't be able to choose a suborganization. For example, if an admin role only manages User Settings, you can assign it to a teacher for an organizational unit called "Classroom A". But if that role also manages Shipments, you won't be able to assign it to only your "Classroom A" organizational unit because the Shipments tab currently doesn't support priviledges by organizational units.

Chrome for Business and Education