Search
Clear search
Close search
Google apps
Main menu

Administrator privilege definitions

Below are the privileges that can be associated with administrator roles in the Google Admin console. Assigning a role to a user grants them access to the Admin console. The role's privileges determine which dashboard controls they see, what information they can access, and which tasks they can perform. They can also perform corresponding actions in the Admin API. See below for details.

Create a custom role Assign roles now

Dashboard controls Administrator privilege

Organization units

Administrators with these privileges can manage your account's organizational structure. Check Create, Read, Update, or Delete boxes to grant specific rights, as described below. The administrator can then perform these tasks from the Users page in their Admin console. Note that granting rights here also grants corresponding Admin API rights.

Action Create Read Update Delete Apply to Organization Units
View organization list X X X X  
Add an organization X        
Move organizations     X    
Delete organizations       X  

When assigning a role that includes any of these rights, you can allow the administrator to perform actions on all users in your account, or only on users in specific organizational units. Learn more

Users

Administrators with these privileges can perform actions on users who aren't administrators. Check Create, Read, Update, or Delete boxes to grant specific rights, as described below. Note that granting rights here also grants corresponding Admin API rights.

View User management rights
Action Create Read Update Delete Apply to Organization Units
View user list X X X X  
Create a user * X        
Rename users ** X   X    
Move users ** X   X X  
Reset password ** X   X    
Force password change ** X   X    
Add/remove alias ** X   X    
Suspend users ** X   X    
Delete users       X  
View user profile X X X X  
View enabled services X X X X  
View groups X X X X  
View licenses          
View security settings          
View admin roles X X X X  
View devices          

* Doesn't include the ability to add several users at once, either by uploading a CSV file or inviting users.

** Privilege to perform each of these tasks can also be granted individually. This lets the administrator view general information about the user as well as perform the specific task.

When assigning a role that includes any of these rights, you can allow the administrator to perform actions on all users in your account, or only on users in specific organizational units. Learn more

Only super administrators can change another administrator's settings.

Groups

Grants full control over Google Groups created in your Admin console. Administrators with this privilege can:

  • View user profiles and your organizational structure
  • Create new groups in the Admin console
  • Manage members of groups created in the console
  • Manage group access settings
  • Delete groups from the console

Note that granting Group management rights here also grants corresponding Admin API rights. None of these actions can be limited to specific organizational units.

Domain settings

Administrators with this privilege can perform account-wide tasks including:

  • Change the organization name, language, logo, and time-zone
  • View billing for your Google Cloud account
  • Add and remove domains and domain aliases
  • Update contact information for password recovery
  • Delete your Google Cloud account
  • Manage your feature release process
  • Choose communications preferences

None of these actions can be limited to specific organizational units.

Reports

Grants access to usage reports and audit logs. Administrators with this privilege can:

  • View graphs showing service use
  • Track user activities such as document edits
  • Track changes made by other administrators in the Admin console

Note: Only super administrators have access to email log search. None of these actions can be limited to specific organizational units.

 

Security > User Security Management

Administrators with this privilege can manage security settings for individual users. On a person's Users page, this administrator can:

  • Enforce or disable 2-step verification for that person (only super administrators)
  • Monitor their password strength
  • Disable the user's Login Challenge for 10 minutes
  • Review and revoke the users' security keys  

    This feature is available with G Suite Business, Education, and Enterprise editions. Compare editions

  • Review and revoke any app passwords
  • Review and revoke any 3-legged OAuth tokens they've granted to third-party apps

This privilege allows managing users who aren't administrators. Only super administrators can access another administrator's security settings. All of these actions can be limited to specific organizational units except enforcing or disabling 2-step verification.

Note that granting User Security Management rights here also grants corresponding Admin API rights.

Security > Security Settings

Administrators with this privilege can manage settings on the Security page that apply for all your users. For example, this administrator can allow less secure apps to access accounts, monitor user passwords, set up Single-Sign-On (SSO) and authentication, and more. None of these actions can be limited to specific organizational units except allowing less secure apps to access accounts.

Support

Administrators with this privilege can use phone and email options to contact Google Cloud support. Administrators can request technical support for any issue, including tasks that aren't performed in the Google Admin console. None of these actions can be limited to specific organizational units.

Note: Super administrators can also use chat to contact support.

Services

Grants full control over services and devices in your account. Administrators with this privilege can:

  • Turn services On or Off *
  • Change service settings and permissions *
  • Create custom service addresses
  • Manage Chrome and mobile devices listed in your console

* Applies for products you've added to your account (G Suite services like Gmail, Calendar, Drive, and so on), Marketplace apps, and free Google services like Google+ and Blogger.

Chrome devices, only

Chrome

Allows managing settings for enrolled Chrome devices. Check boxes to grant full control or allow performing only specific tasks. When assigning a Chrome management role, you can allow the administrator to perform certain actions only on users in specific organizational units. For details, see Delegate administrator roles in Chrome.

This privilege is automatically selected by the Services privilege.

Chrome devices for meetings, only

Chrome devices for meetings

Allows users with super administrator rights to create user roles and assign privileges specific to Chrome devices for meetings.

Note: Selecting the "Chrome devices for meetings with Calendar" setting will grant admins the same privileges in Calendar as super admins. They will be allowed to read/write events and manage permissions of all calendars (primary, secondary and resource) in the domain. This privilege extends to the deletion of all calendars.

Gmail service, only

Gmail

Allows managing all settings for your organization's Gmail service.

This privilege is automatically selected by the Services privilege.

Drive and Docs

Drive and Docs

Allows managing all settings for your organization's Google Drive service, including associated services such as Docs, Sheets, Slides, and Forms.

This privilege is automatically selected by the Services privilege.

Note: To transfer ownership of Drive files, an administrator needs both the Drive Services privilege and the Data Transfer privilege (Admin API Privileges > Data Transfer).

 Docs Templates

Docs Templates

Allows users to remove and re-categorize templates in the Docs, Sheets, Slides and Forms organization-specific template galleries. 

When template submission is set to Moderated in the Admin Console, this privilege allows users to accept or reject template submissions. When submission is set to Restricted, this privilege allows users to add templates to the gallery. 

Note: This privilege also allows users to manage categories and template settings in the “Drive and Docs” section of the Admin console.

Calendar Calendar

Calendar

Allows managing all settings for your organization’s Google Calendar service, including the Google Calendar resources section

This privilege is automatically selected by the Services privilege.

Calendar Calendar resources

Calendar resources

Allows managing (Create/Edit/Delete) of all calendar resources from the admin console.

You can select this privilege independently of its parent Calendar privilege. Calendar resources is recommended for facility administrator roles.

Mobile devices, only

Mobile

Allows full control over mobile devices listed in your Admin console. Administrators with this privilege can manage mobile settings and device policy, and perform all mobile device management operations, such as activate, block, delete, wipe, and so forth.

This privilege is automatically selected by the Services privilege.

Shared Device Settings > Setup Networks

Administrators with this privilege can set up Virtual Private Network (VPN), Wi-Fi, and Ethernet networks for mobile, Chrome, and Chromebox for meetings devices. Each of these actions can be limited to specific organizational units.

Admin API

Allows using the G Suite Admin API to perform actions on Google Groups, organizational units, user accounts, and user security settings. For each of these objects, you can check a box to allow using the API to perform all actions on that object. Or click individual actions (Create, Read, and so on) to permit only selected actions.

The Data Transfer privilege allows an administrator to transfer ownership of users' Drive files using the Admin console. The administrator also needs the Drive Services privilege, in order to access the Transfer ownership setting in the console. None of these actions can be limited to specific organizational units.

Note: Only super administrators can transfer file ownership when deleting a user.

API and Admin console rights are linked: Granting any Organization, User, Groups, or User Security rights in the Admin console gives the administrator corresponding rights in the API. For example, granting the right to create users in the Admin console also lets the administrator create users via the API. Likewise, updating Admin API rights updates corresponding rights in the Admin console.

To grant rights in the Admin console without allowing administrators to perform actions via the API, disable API access for your account.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.