Administrator privilege definitions

Creating a new administrator role or assigning a role to a user in the Google Admin console grants privileges to that user. Assigning a role to a user grants them access to the Admin console. The role's privileges determine what controls they see on the Home page, what information they can access, and which tasks they can perform. They can also perform corresponding actions in the Admin API. See below for details.

Assign roles now Create a custom role

Admin console privileges

Administrator privilege Description

Organizational units

Administrators with these privileges can manage your account's organizational structure. 
 

Check Create, Read, Update, or Delete boxes to grant specific rights to allow the administrator to perform these tasks from the Users page in their Admin console. 

  • Create
  • Update 
  • Delete
  • Read 

Granting Create, Update, or Delete privileges automatically grants the Read privilege. Granting rights here also grants corresponding Admin API rights.

You can allow the administrator to perform actions on all users in your account, or only on users in specific organizational units. Learn more

Users

Administrators with these privileges can perform actions on users who aren't administrators. Check the Create, Read, Update, or Delete boxes to grant specific rights. Note that granting rights here also grants corresponding Admin API rights.

User management rights

  • Create
  • Read
  • Update
    • Rename 
    • Move
    • Reset password
    • Force password change
    • Add/Remove aliases
    • Suspend users
  • Delete

You can grant each of these privileges individually. Granting Create, Update, or Delete privileges automatically grants the Read privilege. 

You can allow the administrator to perform actions on all users in your account or only those in specific organizational units. Learn more

Note: Only super administrators can change another administrator's settings. 
 

Tip: To let an admin view a user’s groups but not edit them, give the admin the Groups > Read API privilege.

Security

 User security management

Administrators with this privilege can manage security settings for individual users. This privilege allows them to manage only users who have no administrator privileges.

On a person's Users page, the administrator can:

  • Enforce or disable 2-Step Verification (only super administrators)
  • Disable the user's login challenge for 10 minutes
  • Review and revoke user security keys  
  • Review and revoke app passwords
  • Reset sign-in cookies
  • Review and revoke any 3-legged OAuth tokens the user grants to third-party apps

If you’re signed in as Delegated Reseller administrator, you won’t see the reset sign-in cookies option.

Note: Only super administrators can see another administrator's security settings. All of these actions can be limited to specific organizational units except enforcing or disabling 2-Step Verification.​

Granting rights here also grants corresponding Admin API rights.

Security settings

Administrators with this privilege can manage settings on the Security page that apply for all your users. For example, this administrator can allow less-secure apps to access accounts, monitor user passwords, set up single-sign-on (SSO) and authentication, and more. 

None of these actions can be limited to specific organizational units except allowing less secure apps to access accounts.

Groups

Grants full control over any groups created in your Admin console. 

Administrators with this privilege can:

  • View user profiles and your organizational structure
  • Create, manage, and delete groups in the Admin console
  • Manage group access settings

Granting Group management rights here also grants corresponding Admin API rights.

These actions can’t be limited to specific organizational units..

Domain settings

Administrators with this privilege can:

  • Change the organization name, language, logo, and time-zone
  • View billing for your Google Cloud account
  • Add and remove domains and domain aliases
  • Update contact information for password recovery
  • Delete your Google Cloud account
  • Manage your feature release process
  • Choose communications preferences

These actions can’t be limited to specific organizational units.

Reports

Grants access to usage reports and audit logs. Administrators with this privilege can:
  • View graphs showing service use
  • Track user activities such as document edits
  • Track changes made by other administrators in the Admin console

These actions can’t be limited to specific organizational units. 

Support

Administrators with this privilege can use phone, chat, and email options to contact Google Cloud Support. All Super administrators can contact support.

Administrators can request technical support for any issue, including tasks that aren't performed in the Google Admin console. 

These actions can’t be limited to specific organizational units.

Services > Service Settings

 Service Settings

Lets you manage certain individual service settings and devices in your account. Administrators with this privilege can:

  • Turn services on or off and change service settings and permissions — Applies for certain products you've added to your account (G Suite services, such as Gmail, Calendar, Drive, and so on), Marketplace apps, and free Google services like Google+ and Blogger.  Some products and services, such as Google Vault and Google Cloud Print, do not support the Service Settings privilege.
  • Create custom service web addresses
  • Manage Chrome and mobile devices listed in the Admin console

When you check the Service Settings box, this automatically selects the Settings privilege for Calendar, Mobile Device Management, Drive, Docs, Gmail, Hangouts Chat, and Directory.

These actions can’t be limited to specific organizational units.

Services > Calendar

  • Settings—Allows managing all settings for your organization’s Google Calendar service, so you can create buildings and resources, and get access to the Room Insights Dashboard.
  • Buildings and Resources—Allows the admin to create, edit, and delete calendar resources, and access the Room Insights Dashboard. You can select this privilege independently of its parent Settings privilege.
  • Room insights—Allows the admin to view, set filters, and adjust the date range on the Room Insights Dashboard. You can select this privilege independently of its parent Building and resources privilege.

This privilege is automatically selected by the Service Settings privilege. 

Note: Administrators with this privilege can only create, edit, and delete resources. They can’t modify the sharing settings of Calendar resources.  

Services > Mobile device management 

Allows full control over mobile devices listed in your Admin console. Administrators with this privilege can manage mobile settings, device policies, and perform all management operations, such as activate, block, delete, wipe, and so on.

This privilege is automatically selected by the Service Settings privilege.

Services > Drive and Docs

  • Settings—Allows managing all settings for your organization's Google Drive service, including associated services, such as Docs, Sheets, Slides, and Forms.

    This privilege is automatically selected by the Service Settings privilege.You need this privilege and the Data Transfer privilege to transfer ownership of Drive files.
  • Docs templates—Allows users to remove and re-categorize templates in the Docs, Sheets, Slides and Forms organization-specific template galleries. Admins can also manage template settings in the Drive and Docs section of the Admin console.

    When template submission is set to Moderated in the Admin Console, this privilege allows users to accept or reject template submissions. When submission is set to Restricted, this privilege allows users to add templates to the gallery. For details, see Manage the custom template gallery. 

    This privilege also allows users to manage categories and template settings in the Drive and Docs section of the Admin console.
  • Move any file or folder into Team Drives—This setting allows the admin to move files and folders into Team Drives. Team Drives is available in the G Suite Enterprise, Business, and Education editions. 
  • View details of New Google Sites—Allows admins to identify the owner of a site, see the date the site was last published, and request edit access to the site. 

Services > Gmail

Allows admins to access and manage Gmail services.   

  • Settings—Manage all Gmail settings for your organization
  • Email Log Search—Search the log, troubleshoot delivery, and investigate security issues associated with emails
  • Access Admin Quarantine—Access and manage emails in all quarantines, including the default quarantine
  • Access restricted quarantines—Access and manage emails only in quarantines associated with groups the admin belongs to

Note: Only the Settings box is automatically checked by the Service Settings privilege.

Services > Google Managed Play 

This setting allows the admin to manage Google Play store settings. They can distribute Android apps internally to users. They can also upload private apps to the Google Play store and use Android app packages (APKs) hosted outside of Google Play.

Services > Hangouts Chat

Allows admins to read and modify settings for Chat, such as saving conversations and allowing conversations with people outside or your organization. 

This privilege is automatically selected by the Service Settings privilege. 

Services > Google Chrome Management 

Allows admins to manage the organization’s Chrome Browser policies, including access to edit settings for users, Chrome applications and extensions, and Managed Google Play (for Chrome devices only) within organizational units they have privileges for. 
 
Granting access to Manage User Settings automatically grants privileges to Manage Application Settings.
 
Note: This privilege is not automatically selected by the Service Settings privilege.

Services > Google meeting room hardware

Admins can create user roles and assign privileges to specific Chrome devices for meetings with or without Calendar privileges. 

Users with the Chrome devices for meetings with Calendar privilege have full access to users' calendars. They can read or write events, manage  
permissions of all calendars (primary, secondary, and resource) in the  
domain, and delete any calendars in the domain. After you assign this  
privilege to a user, it can take up to 24 hours for the Calendar privileges  
to be available.

Services > Google Hangouts

Admin quality dashboard access

Allows the Services Admin to access the meeting-quality dashboard for your organization.

Services > Jamboard Management

Admins with this privilege can view and edit Jamboard settings, set up devices, and more.

Services > Directory

Allows the admin to manage settings and control directory profile changes to let users make changes to their profile, including their name, photo, gender, and birthday. 
 
This privilege is automatically selected by the Service Settings privilege. 

Services > Cloud search

Allows the admin to grant user access to Google Cloud Search, turn the service on or off, and view reports on how the organization uses Cloud Search, including the number of search queries from different types of devices and the number of active users. 

Note: This privilege is not automatically selected by the Service Settings privilege.

Services > Google Cloud Print

Allows the admin to set up and manage Google Cloud Print services for their organization, including printing from Chrome devices and Chrome Browser on Windows/Mac/Linux computers, the mobile version of G Suite services (such as Gmail), and third-party native mobile apps. Learn more about Google Cloud Print 

Note: This privilege is not automatically selected by the Service settings privilege.

Services > Shared device settings 

Admins with this privilege can manage all common device configurations and set up Virtual Private Network (VPN), Wi-Fi, and Ethernet networks for mobile, Chrome, and Chromebox for meetings devices. 

Note: This privilege is not automatically selected by the Service Settings privilege.

Services > Chrome OS

Available if you have Chrome Enterprise or Chrome Education licenses.
 
Allows admins to manage your organization’s Chrome devices and policies, including giving admins access to edit user settings, device settings, and Chrome and Managed Google Play apps and extensions on Chrome devices within organizational units they have privileges for. 
 
Granting access to Settings automatically grants privileges to Manage Devices, Manage Device Settings, Manage User Settings, and Manage Application Settings. 
 
Granting access to Manage User Settings automatically grants privileges to Manage Application Settings. 
 
For more details, see Delegate administrator roles in Chrome.

This privilege is automatically selected by the Service Settings privilege. 

Services > Google Vault

Allows the admin to grant privileges to other admins to view all matters and manage matters, holds, searches, exports, retention policies, and audits.  

Learn more about Vault privileges.

Note: This privilege is not automatically selected by the Service Settings privilege. 

 

Admin API privileges

API and Admin console rights are linked—Granting any organization, user, groups, or user-security rights in the Admin console gives the administrator corresponding rights in the API. For example, granting the right to create users in the Admin console also lets the administrator create users using the API. Likewise, updating Admin API rights updates corresponding rights in the Admin console.

To grant rights in the Admin console without allowing administrators to perform actions in an API, disable API access for your account.

APIs  Description

Admin API Privileges

Allows the G Suite Admin API to perform actions on: 

  • Organizational units
  • Users
  • Groups
  • User-security management
  • Data transfer—Allows a super or services administrator to transfer ownership of users' Drive files using the Admin console. The administrator also needs the Drive Services privilege to access the Transfer ownership setting in the console. None of these actions can be limited to specific organizational units.
    Note: Only super administrators can transfer file ownership when deleting a user.
  • Schema management—Allows a super or services administrator to create schemas to define custom fields for their domain, such as user projects, locations, or hire dates.
  • Domain management—Admins can add or remove domains and set up domain aliases.

For each of these objects, if you create a custom role, you can check the box next to the privilege to allow using the API to perform all actions on that object. Or click individual actions (Create, Read, and so on) to permit only selected actions.

Was this article helpful?
How can we improve it?