Administrator privilege definitions

When you assign an administrator role to a user in the Google Admin console, you grant administrator privileges to that user and give them access to the Admin console. The role's privileges determine the controls the user sees on the Admin console Home page, information they can access, and tasks they can perform. Admins can also perform corresponding actions in the Admin API.

In the table below are descriptions of the privileges an admins can have. These privileges could expand in scope as G Suite develops new administrative features.

Assign roles now Create a custom role

Admin console privileges

Administrator privilege Description

Organizational units

Admins with this privilege can manage your account's organizational structure from the Users page in their Admin console. Granting rights here also grants corresponding Admin API rights (below).

Organizational units rights:

  • Create
  • Update 
  • Delete
  • Read 

Giving Create, Update, or Delete privileges automatically grants the Read privilege.

You can allow admins to perform actions on all users in your account or only on users in specific organizational units. For details, see Assign user management roles.

Users

Admins with this privilege can perform actions on users who aren't admins. Only super admins can change another admin's settings. Granting rights here also grants corresponding Admin API rights (below).

User management rights:

  • Create
  • Read
  • Update
    • Rename 
    • Move
    • Reset password
    • Force password change
    • Add/Remove aliases
    • Suspend users
  • Delete

You can grant each of these privileges individually. Granting Create, Update, or Delete privileges automatically grants the Read privilege.

You can allow admins to perform actions on all users in your account or only those in specific organizational units. For details, see Assign user management roles.

Tip: To let admins view a user's groups but not edit them, give them the Groupsand thenRead API privilege.

Security

User security management

Note: Only super admins can see another admin's security settings.

Admins with this privilege can manage security settings for individual users. They can only manage users who don't have admin privileges. Granting rights here also grants corresponding Admin API rights (below).

On a person's Users page, admins with this privilege can:

  • Disable 2-Step Verification. Only super administrators can enforce 2-Step Verification for the entire organization.
  • Disable the login challenge for 10 minutes.
  • Review and revoke security keys.
  • Review and revoke app passwords.
  • Reset sign-in cookies (not for reseller admins). 
  • Review and revoke any 3-legged OAuth tokens the user granted to third-party apps.

All of these actions can be limited to specific organizational units, except enforcing or disabling 2-Step Verification.​

Security settings

On the Security page, admins with this privilege can:

  • Allow less secure apps to access accounts.
  • Monitor user passwords.
  • Set up single sign-on (SSO) and authentication.

Allowing less secure apps to access accounts is the only action that can be limited to specific organizational units.

Groups

Admins with this privilege have full control over groups created in your Admin console. Granting rights here also grants corresponding Admin API rights (below).

Administrators with this privilege can:

  • View user profiles and your organizational structure.
  • Create, manage, and delete groups in the Admin console.
  • Manage group access settings.
  • Turn on services for access groups (also requires privileges for Organizational units and Services). For details, see Configure G Suite service settings with Groups.

These actions can't be limited to specific organizational units.

Tip: To let admins view the groups a user belongs to but not edit them, give them the Groupsand thenRead API privilege.

Domain Settings

Admins with this privilege can:
  • Change the organization name, language, logo, and time zone.
  • View billing for your managed Google Account, such as G Suite or Cloud Identity.
  • Add and remove domains and domain aliases.
  • Map a custom URL to a site in Google Sites.
  • Update contact information for password recovery.
  • Delete your managed Google Account, such as G Suite or Cloud Identity.
  • Manage your feature release process.
  • Choose the types of email you want to receive from Google. For details, see Set communications preferences for G Suite.

These actions can’t be limited to specific organizational units.

Reports

Admins have access to usage reports and audit logs. For details, see Reporting tools overview.

Admins with this privilege can:

  • View graphs showing service use.
  • Track user activities such as document edits.
  • Track changes made by other admins in the Admin console.

​These actions can’t be limited to specific organizational units. 

Support

Admins with this privilege can use phone, chat, and email options to contact Google Cloud Support. All users assigned with the pre-built super admin role can contact support.

Admins can request technical support for any issue, including tasks that aren't performed in the Google Admin console.

The ability to contact Google Cloud Support can't be limited to specific organizational units.

Services > Service Settings

Note: Some products and services, such as Google Vault and Google Cloud Print, can't be edited with the Service Settings privilege.

Admins with this privilege can:

  • Turn services on or off and change service settings and permissions—applies for certain products you've added to your account (G Suite services, such as Gmail, Calendar, and Drive), Marketplace apps, and free Google services, such as YouTube and Blogger.
  • Create custom web addresses for services.
  • Manage Chrome and mobile devices already in the Admin console.

These actions can’t be limited to specific organizational units.

Checking the Service Settings box automatically selects the Settings privilege for Calendar, mobile device management, Google Drive and Docs, Gmail, Hangouts Chat, and Directory.

Services > Calendar

Admins with this privilege can create, edit, and delete resources. They can't modify the sharing settings of Calendar resources.

Calendar management rights:

  • All Settings—Admins can access and manage sharing settings, resources, the Room Insights Dashboard, and general settings.
  • Buildings and Resources—Admins can create, edit, and delete calendar resources and access the Room Insights Dashboard.
  • Room Insights—Admins can view, set filters, and adjust the date range on the Room Insights Dashboard.

This privilege is automatically selected with the Service Settings privilege.

Services > Mobile device management

Admins have full control over mobile devices listed in your Admin console.

Admins with this privilege can:

  • Manage mobile settings.
  • Manage device policies.
  • Perform all management operations, such as activate, block, delete, and wipe.

This privilege is automatically selected with the Service Settings privilege.

Services > Drive and Docs

Drive and Docs management rights: 

  • Settings—Admins can manage all settings for your organization's Google Drive and Docs services. You need this privilege and the Data Transfer privilege to transfer ownership of Drive files. For details, see Transfer Drive files to a new owner.
  • Docs templates—Admins can remove and categorize templates in the Docs, Sheets, Slides and Forms template galleries and in the Drive and Docs section of the Admin console. When template submission is set to Moderated in the Admin Console, admins can accept or reject template submissions. When submission is set to Restricted, admins can add templates to the gallery. For details, see Create custom Drive templates
  • Move any file or folder into shared drives—Admins can move files and folders into shared drives in your organization. 
  • Manage Metadata Categories—Admins can create custom metadata categories for Drive files and folders. Drive metadata is currently in Beta, and the Help is not yet available in all languages. For details, see Manage Drive metadata (beta).
  • View details of New Google Sites—Admins can identify the owner of a site, see the date the site was last published, and request edit access to the site.

The Settings privilege is automatically selected with the Service Settings privilege.

Services >
Data Security

Admins with this privilege can manage the organization's Context-Aware Access policies. Admins can control the apps a user can access based on their context, such as their location or whether their device complies with your organization's policies.

Data Security management rights:

  • Access level management—Admins can create access levels.
  • Rule management—Admins can turn on or off Context-Aware Access and to assign access levels to apps.

Services > Gmail

Gmail management rights:

  • Settings—Manage all Gmail settings for your organization.
  • Email Log Search—Search the log, troubleshoot delivery, and investigate security issues associated with emails.
  • Access Admin Quarantine—Access and manage emails in all quarantines, including the default quarantine.
  • Access restricted quarantines—Access and manage emails only in quarantines associated with groups the admin belongs to.

Only the Settings box is automatically selected with the Service Settings privilege.

Services > Security Center

The security center is available with G Suite Enterprise, G Suite Enterprise for Education, Drive Enterprise, and Cloud Identity Premium editions.

Admins with this privilege have access to advanced security information and analytics and added visibility and control into security issues affecting your organization. For details, see About the security center

To assign full access to all Security Center features, check the This user has full administrative rights for Security Center box.

You can assign admins specific access to:

  • Dashboards
  • Security Health
  • Investigation tools
  • Activity rules

Services > Google Managed Play

Admins can manage Google Play store settings.

Admins with this privilege can:

  • Distribute Android apps internally to users.
  • Upload private apps to the Google Play store.
  • Use Android app packages (APKs) hosted outside of Google Play.

Services > Hangouts Chat

Admins can read and modify settings for Chat, such as saving conversations and allowing conversations with people outside or your organization.

This privilege is automatically selected with the Service Settings privilege.

Services > Chrome Management

Admins can manage the organization’s Chrome Browser policies, including:

  • User settings
  • Chrome applications and extensions
  • Managed Google Play (for Chrome devices only)

These actions can be limited to specific organizational units.

Granting access to Manage User Settings automatically grants privileges to Manage Application Settings.

This privilege is not automatically selected with the Service Settings privilege.

Services > Google meeting room hardware

This privilege is not present unless your account has at least one Google meeting room hardware license or enrolled device.

Admins can create user roles and assign privileges to specific Google meeting room hardware devices with or without Calendar privileges.

Users with the Chrome devices for meetings with Calendar privilege have full access to users' calendars. They can:

  • Read or write events.
  • Manage permissions of all calendars (primary, secondary, and resource) in the organization.
  • Delete any calendars in the organization.

After you assign this privilege to a user, it can take up to 24 hours for the Calendar privileges to be available.

Services > Google Hangouts

Admin quality dashboard access

With this privilege, admins can access the Meet quality tool.

For details, see Troubleshoot meeting quality.

Services > Jamboard Management

Admins with this privilege can perform tasks such as view and edit Jamboard settings and set up devices.

Services > Directory Settings

Admins can manage settings and control Directory profile changes to let users make changes to their profile, including their name, photo, gender, and birthday.

This privilege is automatically selected with the Service Settings privilege.

Services > App Maker

Admins can view reports about all App Maker apps in your organization.

This privilege is automatically selected with the Service Settings privilege.

Services > Cloud Search

Admins with this privilege can:

  • Grant user access to Google Cloud Search.
  • Turn the service on or off. 
  • View reports on how the organization uses Cloud Search, including the number of search queries from different types of devices and the number of active users.
  • Manage settings for third-party repositories, such as settings for data sources, identity sources, and search applications. Admins also have read or write access for indexing.

Granting access to Settings automatically grants privileges to Cloud Search Indexing and Cloud Search Indexing Read Only.

This privilege is not automatically selected with the Service Settings privilege.

Services > Google Cloud Print

Admins with this privilege can set up and manage Google Cloud Print services for their organization, including printing from:

  • Chrome devices and Chrome Browser on Windows/Mac/Linux computers
  • The mobile version of G Suite services, such as Gmail
  • Third-party native mobile apps

For details, see Google Cloud Print services.

This privilege is not automatically selected by the Service Settings privilege.

Services > Shared device settings

Admins with this privilege can manage all common device configurations. They can set up Virtual Private Network (VPN), Wi-Fi, and Ethernet networks for mobile, Chrome, and Chromebox for meetings devices.

This privilege is not automatically selected by the Service Settings privilege.

Services > Chrome Management

Admins can manage your organization’s Chrome devices and policies, including:

  • User settings
  • Device settings
  • Chrome and Managed Google Play apps and extensions on Chrome devices

These privileges are only available if you have Chrome Enterprise or Chrome Education licenses.

Granting access to Settings automatically grants privileges to Manage Devices, Manage Device Settings, Manage User Settings, and Manage Application Settings. Granting access to Manage User Settings automatically grants privileges to Manage Application Settings. For more details, see Delegate administrator roles in Chrome.

This privilege is automatically selected with the Service Settings privilege.

Services > Google Vault

Admins can view all matters and manage matters, holds, searches, exports, retention policies, and audits. For details, see Understand and grant Vault privileges.

This privilege is not automatically selected by the Service Settings privilege.

Services > Work Insights

These privileges are available only if you have users with G Suite Enterprise or Enterprise for Education licenses.

Admins can access data on the Work Insights dashboard. Data is available only for teams that have Work Insights turned on. For details, see Control which data is available in Work Insights.

You can let users view data for all available teams or just specific teams, including organizational units, whitelisted groups, or teams in a manager's reporting line. For details, see Grant access to Work Insights.

 

Admin API privileges

Granting privileges to a user in the Admin console gives them corresponding rights in the API. For example, granting the right to create users in the Admin console also lets admins create users using the API. Likewise, updating Admin API rights updates corresponding rights in the Admin console.

To grant rights in the Admin console without allowing admins to perform actions in an API, turn off API access for your account. For details, see Enable API access in the Admin console.

APIs Description

Admin API Privileges

Allows the G Suite Admin API to perform actions on:

  • Organizational units
  • Users
  • Groups
  • User-security management
  • Data transfer—Super admins or services admins can transfer ownership of users' Drive files using the Admin console. Admins also need the Drive Services privilege to access the Transfer ownership setting in the console. None of these actions can be limited to specific organizational units.
    Note: Only super admins can transfer file ownership when deleting a user.
  • Schema management—Super admins or services admins can create schemas to define custom fields for their domain, such as user projects, locations, or hire dates.
  • License management—Super admins can assign and manage G Suite licenses for the organization, an organizational unit, a group of users, or an individual user.
    Note: This privilege works only in the Admin console and doesn't authorize admins other than super admins to use the License Manager API.
  • Domain management—Admins can add or remove domains and set up domain aliases.

If you create a custom role, you can check the box next to the privilege to allow using the API to perform all actions on that object. Or, click individual actions (such as Create or Read) to permit only selected actions.

Was this helpful?
How can we improve it?