Administrator privilege definitions

When you assign an admin role to a user in the Google Admin console, you grant them administrator privileges and access to the Admin console.

The role's privileges determine the admin's controls in the Admin console, information they can access, and tasks they can perform. Admins can also perform corresponding actions in the Admin API.

Assign roles now Create a custom role

Administrator privileges

* Note: Some privileges, such as Jamboard Management, are available only with certain editions of Google Workspace, hardware, or user licenses.

Admin settings privileges Services privileges  

Settings privileges

Open all  |  Close all

Admin API

Granting privileges to an admin in the Admin console gives them corresponding rights in the API. For example, granting the privilege to create users in the Admin console also lets admins create users using the API. Likewise, updating Admin API rights updates corresponding privileges in the Admin console.

To grant privileges in the Admin console without allowing admins to perform actions in an API, turn off API access for your account. For details, go to Manage access to Google services: Restricted or Unrestricted.

The Admin API privilege allows the Google Workspace Admin API to perform actions on:

  • Organizational Units
  • Users
  • Groups
  • User Security Management
  • Data Transfer—Super admins or services admins can transfer ownership of users' Drive files using the Admin console. Admins also need the Drive Services privilege to access the Transfer ownership setting in the console. None of these actions can be limited to specific organizational units.
    Note: Only super admins can transfer file ownership when deleting a user.
  • Schema Management—Super admins or services admins can create schemas to define custom fields for their domain, such as user projects, locations, or hire dates.
  • License Management—Super admins can assign and manage Google Workspace licenses for the organization, an organizational unit, a group of users, or an individual user. Note: This privilege works only in the Admin console and authorizes only super admins to use the License Manager API.
  • Billing Management
  • Domain Management—Admins can add or remove domains and set up domain aliases.

If you create a custom role, you can check the box next to the privilege to allow using the API to perform all actions on that object. Or, click individual actions (such as Create or Read) to permit only selected actions.

Domain Settings
Admins with the Domains Settings privilege can:
  • Change the organization name, language, logo, and time zone.
  • Delete your Google Workspace or Cloud Identity Account.
  • View billing for your Google Workspace or Cloud Identity Account.
  • Add and remove domains and domain aliases.
  • Map a custom URL to a site in Google Sites.
  • Update contact information for password recovery.
  • Manage your feature release process.
  • Choose the types of email you get from Google. For details, see Choose your Google Workspace notifications preferences.

These actions can’t be limited to specific organizational units.

Groups

Admins with the Groups privilege have full control over groups created in your Admin console. Also grants the corresponding Admin API privileges (above).

Administrators with this privilege can:

  • View user profiles and your organizational structure.
  • Create, manage, and delete groups in the Admin console.
  • Manage group access settings.
  • Turn on services for access groups (also requires privileges for Organizational Units and Services). For details, see Customize service settings with configuration groups.

These actions can't be limited to specific organizational units.

Tip: To let admins view the groups a user belongs to but not edit them, give them the Groupsand thenRead API privilege.

Organizational Units

Admins with this privilege can manage your account's organizational structure from the Users page in their Admin console. Also grants the corresponding Admin API privileges (above).

Organizational Units privileges:

  • Read
  • Create
  • Update
  • Delete

The Create, Update, or Delete privileges automatically grants the Read privilege.

You can allow admins to perform actions on all users in your account or only on users in specific organizational units. For details, go to Assign specific admin roles.

Reports

Admins have access to usage reports and audit logs. For details, go to Reporting overview.

Admins with the Reports privilege can:

  • View graphs showing service use.
  • Track user activities such as document edits.
  • Track changes made by other admins in the Admin console.

These actions can’t be limited to specific organizational units.

Security

User Security Management

Note: Only super admins can see another admin's security settings.

Admins can manage security settings for individual users. They can only manage users who don't have admin privileges. Also grants the corresponding Admin API privileges (above).

On a person's Users page, admins with the User Security Management privilege can:

  • Disable 2-Step Verification. Only super administrators can enforce 2-Step Verification for the entire organization.
  • Disable the sign-in challenge for 10 minutes.
  • Review and revoke security keys.
  • Review and revoke app passwords.
  • Reset sign-in cookies (not for reseller admins).
  • Review and revoke any 3-legged OAuth tokens the user granted to third-party apps.

All of these actions can be limited to specific organizational units, except enforcing or disabling 2-Step Verification.

Security Settings

  • Allow less secure apps to access accounts
  • Monitor user passwords
  • Set up single sign-on (SSO) and authentication

Allowing less secure apps to access accounts is the only action that can be limited to specific organizational units.

Support

Admins with the Support privilege can use phone, chat, and email options to contact Google Workspace support. They can also file cases in the Google Customer Care Portal

The ability to contact Google Workspace support can't be limited to specific organizational units.

Users

Admins with the Users privilege can perform actions on users. Only super admins can change another admin's settings. Also grants the corresponding Admin API privileges (above).

  • Create
  • Read
  • Update
    • Move users
      Note: Only super admins can use the Transfer tool to transfer unmanaged user accounts to Google Workspace managed user accounts.
    • Suspend users
    • Rename users
    • Reset password
    • Force password change
    • Add/remove aliases
  • Delete

The Create privilege automatically grants Read and Update privileges. Update or Delete privileges automatically grant Read privilege.

You can let admins perform actions on all users in your account or only users in specific organizational units. For details, go to Make a user an admin.

Tip: To let admins view a user's groups but not edit them, give them the API privilege by clicking Groupsand thenRead API privilege.

Services privileges

Open all  |  Close all

Service Settings

The Service Settings privilege does not automatically grant privileges to some services and settings, for example, Google Vault or Data Security.

Admins with the Service Settings privilege can turn services on or off and change service settings. Applies to certain products you've added to your account (Google Workspace services, such as Calendar, and Drive), Marketplace apps, and free Google services, such as YouTube and Blogger.

Alert Center

This privilege is automatically selected with the Service Settings privilege.

For description of privileges and recommendations for creating roles, go to Grant access to the alert center.

Calendar

This privilege is automatically selected with the Service Settings privilege.

Admins with the Calendar privilege can create, edit, and delete resources. They can't modify the sharing settings of Google Calendar resources.

Calendar management rights:

  • All Settings—Admins can access and manage sharing settings, resources, the Room Insights Dashboard, and general settings.
  • Buildings and Resources—Admins can create, edit, and delete calendar resources and access the Room Insights Dashboard.
  • Room Insights—Admins can view, set filters, and adjust the date range on the Room Insights Dashboard.
  • Manage—Allows the admin to create, edit, and delete Calendar resources, buildings, and resource features.

Note: Admins can’t limit these actions to specific organizational units.

Chrome Management

This privilege is not automatically selected with the Service Settings privilege.

Admins can manage your organization’s Chrome devices and policies, including:

  • User settings
  • Device settings
  • Chrome and Managed Google Play apps and extensions on Chrome devices

For more information, go to Delegate administrator roles in Chrome.

Cloud Search

This privilege is automatically selected with the Service Settings privilege.

Admins with the Cloud Search privilege can:

  • Grant user access to Google Cloud Search.
  • Turn the service on or off.
  • View reports on how the organization uses Cloud Search, including the number of search queries from different types of devices and the number of active users.
  • Manage settings for third-party repositories, such as settings for data sources, identity sources, and search applications. Admins also have read or write access for indexing.

Learn about creating a Cloud Search administrator role for a developer.

Contacts

This privilege is automatically selected with the Service Settings privilege.

Contact delegates are users that have permission to access and manage contacts for another user. Admins with the Contacts privilege can view, create, or delete delegates for a given user using the Contact Delegation API:

  • Delegates Read - Admins can use the API to list delegates for a specific user. Equivalent to the OAuth scope https://www.googleapis.com/auth/admin.contact.delegation.readonly.
  • Delegates Write - Admins can use the API to create or delete delegates for a specific user. Equivalent to the OAuth scope https://www.googleapis.com/auth/admin.contact.delegation.
Currents

Only the Settings privilege is automatically selected with the Service Settings privilege.

Admins privileges for Currents

  • Settings—Manage settings for Currents
  • Batch-add user groups to communities—Admins can add users directly to Currents communities.
  • Access tools to manage streams, tags, and leaders—Moderate content on Currents. Learn more
Data loss prevention (DLP)

Only the View DLP rule privilege is automatically selected with the Service Settings privilege.

DLP privileges:

  • View DLP rule—Admins can view but not modify or create DLP rules.
  • Manage DLP rule—Admins can view, modify, and create DLP rules.

You must enable both of these privileges to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges.

Data Security

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can manage the organization's context-aware access policies. Admins can control the apps a user can access based on their context, such as their location or whether their device complies with your organization's policies.

Data Security management rights:

  • Access level management—Admins can create access levels.
  • Rule management—Admins can turn on or off context-aware access and to assign access levels to apps. 
Directory settings

This privilege is automatically selected with the Service Settings privilege.

Admins can manage settings and control Directory profile changes to let users make changes to their profile, including their name, photo, gender, and birthday

Drive & Docs

This privilege is automatically selected with the Service Settings privilege.

Google Drive and Docs management rights:

  • Settings—Admins can manage all settings for your organization's Drive and Docs services. You need this privilege and the Data Transfer privilege to transfer ownership of Drive files. For details, go to Transfer Drive files to a new owner.
  • Docs Templates—Admins can remove and categorize templates in the Docs, Sheets, Slides, and Forms template galleries and in the Drive and Docs section of the Admin console. When template submission is set to Moderated in the Admin Console, admins can accept or reject template submissions. When submission is set to Restricted, admins can add templates to the gallery. For details, go to Create custom Drive templates.
  • Move any file or folder into shared drives—Admins can move files and folders into shared drives in your organization.
  • Manage Metadata Categories—Admins can create custom metadata categories for Drive files and folders. Drive metadata is currently in Beta, and the Help is not yet available in all languages. For details, go to Manage Drive metadata (beta).
  • View details of new Google Sites—Admins can identify the owner of a site, see the date the site was last published, and request edit access to the site.
  • Manage Classic Google Sites—Admins can use the Classic Sites Manager to view, manage, and migrate all of your organization's Classic Google Sites. Learn more
Gmail

Only the Settings privilege is automatically selected with the Service Settings privilege.

Gmail management rights:

  • Settings—Manage all Gmail settings for your organization.
  • Email Log Search—Search the log, troubleshoot delivery, and investigate security issues associated with emails.
  • Access Admin Quarantine—Access and manage emails in all quarantines, including the default quarantine.
  • Access restricted quarantines—Access and manage emails only in quarantines associated with groups the admin belongs to.
Google Chat and classic Hangouts

This privilege is automatically selected with the Service Settings privilege.

Admins can read and modify settings for Google Chat, such as saving conversations and allowing conversations with people outside or your organization

Google Cloud Print

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can set up and manage Google Cloud Print services for their organization, including printing from:

  • Chrome devices and Chrome Browser on Windows, Mac, and Linux computers
  • The mobile version of Google Workspace services, such as Gmail
  • Third-party native mobile apps

For details, go to Print from Chrome.

Google Data Studio

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can manage Google Data Studio settings, including viewing, sharing, and customizing dashboards and reports. Learn more about Data Studio.

Google Hangouts

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can:

Google Meet

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can:

Google Meet hardware

This privilege is not available unless your account has at least one Google Meet hardware license or enrolled device.

Admins can create user roles and assign privileges to specific Google Meet hardware devices with or without Calendar privileges.

Users with the Chrome devices for meetings with Calendar privilege have full access to users' calendars. They can:

  • Read existing calendar events and write new events.

    Note: Users with this privilege can’t edit events previously created.

  • Manage permissions of all calendars (primary, secondary, and resource) in the organization.
  • Delete any calendars in the organization.

After you assign this privilege to a user, it can take up to 24 hours for the Calendar privileges to be available.

Google Vault

This privilege is not automatically selected with the Service Settings privilege.

Admins can view all matters and manage matters, holds, searches, exports, retention policies, and audits. For details, go to Understand and grant Vault privileges.

Groups for Business

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can read and modify settings for Groups for Business, including:

  • Who can create groups.
  • Whether people outside your organization can view, search for, and post to your groups.
  • Default values for who can view conversations in groups.
Jamboard Management

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can perform tasks such as view and edit Jamboard settings and set up devices.
Managed Google Play

This privilege is not automatically selected with the Service Settings privilege.

This privilege is also listed as "Google Managed Play". Admins with this privilege can:

  • Distribute Android apps internally to users.
  • Upload private apps to the Google Play store.
  • Use Android app packages (APKs) hosted outside of Google Play.
Mobile Device Management

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege have full control over devices listed in your Admin console, and can:

  • Manage device settings and policies.
  • Perform all management operations, such as approve, block, delete, and wipe devices.
  • Publish and manage mobile apps.
Password Vault 

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can set up and manage password vaulted apps.

Related topics

Secure LDAP

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can manage the Secure LDAP service and add or delete LDAP clients. Learn more

Security Center

The privilege full administrative rights for Security Center is automatically selected with the Service Settings privilege.

Admins with this privilege have access to advanced security information and analytics and added visibility and control into security issues affecting their organization.

Super admins have automatic access to all security center features, including the security dashboard, the security health page, and the investigation tool. You can give admins access to a specific security center feature (for example, just the security dashboard) by granting them the administrative privileges needed to access the feature.

Related topics

Shared device settings

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can manage all common device configurations. They can set up Virtual Private Network (VPN), Wi-Fi, and Ethernet networks for mobile, Chrome, and Chromebox for meetings devices.

Sites

This privilege is automatically selected with the Service Settings privilege.

Admins can read and modify settings for Sites, such as whether users can create and edit sites, and whether sites can be shared outside your organization.

Note: Check additional privileges for Google Sites and Classic Google Sites in the Drive and Docs privilege.
Work Insights

This privilege is not automatically selected with the Service Settings privilege.

Admins can access data on the Work Insights dashboard. Data is available only for teams that have Work Insights turned on.

You can let users view data for all available teams or just specific teams, including organizational units, authorized groups, or teams in a manager's reporting line.

Related topics

YouTube

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can:

  • Restrict the YouTube videos that are viewable within your organization.
  • Set different YouTube access levels (strict, moderate, unrestricted) for different organizational units.

For details, see Manage your organization's YouTube settings.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue