Prebuilt administrator roles

The easiest way to give administrator privileges to another user is to assign prebuilt administrator roles. Each role grants one or more privileges that together allow you to perform a common business function. For example, one role manages user accounts, another role manages groups, another role manages calendars and resources, and so on. Assign multiple roles to grant all privileges in those roles.

You can also create a custom admin role to assign specific privileges to individual users.

Assign roles now Create a custom role

Here's what each role can do:


	Super admin Has access to all features in the Google Admin console and Admin API and can manage every aspect of your organization's account. Super admins also have full access to all users' calendars and event details. After you assign the super admin role to a user, it can take up to 24 hours for the calendar privileges to be available. Only super admins can... Create and assign administrator roles Manage other super and delegated admins, including changing passwords Transfer ownership of files during the user deletion process Accept the Terms of Service for a product Invite unmanaged user accounts to become Google Workspace managed user accounts Restore deleted users Allow users to turn on 2-Step Verification Install Google Workspace Marketplace apps Manage Google Calendar resource access-level controls Use the data migration service Grant domain-wide delegation and manage API client access Set up Google as a SAML identity provider and add or modify SAML apps At least one user in your account needs to be a super administrator, but we recommend having at least two. That way, if one of you forgets your password, the other can reset it for you. You can also allow super admins to reset their own passwords. For details, go to Reset your administrator password. One of your super admins receives billing and other important account notifications from Google. This admin is known as your primary administrator. For details, go to Send billing and account notifications to another admin.

	Groups Admin Has full control over Google Groups' tasks in your Admin console. This administrator can perform the following tasks both from the Admin console and using the Admin API: View user profiles and your organizational structure Create new groups in the Admin console Manage members of groups created in the Admin console Manage group access settings Delete groups using the Admin console View organizational units The Groups admin also has the privilege to add a security label to a group. The admin can perform this task either in the Admin console or using the Admin API. This feature is currently in beta. You can give administrative privileges to users by using the following 2 admin roles. Users with these roles can work in the Admin console and use the Admin API: Groups Reader—Can read Groups information, but can’t change or update it. Groups Editor—Has the permissions of a Groups admin, except for the privilege required to add or remove a security label on a groups resource. (Beta) If your organization has security groups, you can give users who have the Groups Reader or the Groups Editor role the privileges either to all your groups, only to security groups, or only to non-security groups.

	User Management Admin Can perform all actions on users who aren't administrators. This administrator can perform the following tasks both from the Admin console and using the Admin API: View user profiles and your organizational structure View organizational units Create and delete user accounts * Rename users and change passwords * Manage a user's individual security settings * Perform these other user management tasks * * Applies only to users who aren't administrators. A User Management Admin can't assign administrator privileges, reset an administrator's password, or make other changes to an administrator account. Only a super administrator can perform those tasks. When you assign a user to the User Management Admin role, you can limit their privileges to specific organizational units.

	Help Desk Admin This administrator can do the following: Reset passwords for users who aren't administrators, both in the Admin console and using the Admin API. View user profiles and your organizational structure View organizational units When you assign the Help Desk Admin role to a user, you can limit their privileges to specific organizational units.

	Services Admin Can manage certain service settings and devices in the Admin console, including Google Calendar, Drive, and Docs. This administrator can do the following: Turn services on or off * Change service settings and permissions * Create, edit, and delete Calendar resources Manage Chrome and mobile devices listed in the Admin console Manage settings for Google Takeout Manage Google AppSheet settings, including governance policies and team management. For details, go to Assign AppSheet admin privileges to Workspace admins. Manage classification labels and default classification rules View organizational units Use the alert center (full access) * Applies only to Google Workspace Marketplace apps, Google services, such as Blogger, and certain products added to your account (Google Workspace services, Google Voice, and so on). Some products and services, such as Google Vault and Google Cloud Print, can’t be managed by the Services Admin role.

	Mobile Admin Can manage mobile devices and endpoints using Google endpoint management. This administrator can do the following: Provision and approve devices Manage apps Block or wipe devices and accounts Set device policies See groups and users in the domain This role is available only to customers who signed up for Google Workspace after February 2018. If you joined before this date, you can create a custom role with the same access. For details, go to Create, edit, and delete custom admin roles.

	Storage Admin Can use the Storage settings in the Admin console. This administrator can do the following: View their organization's storage use View the users and shared drives that use the most storage Set storage limits Open the Accounts report, the directory of users, and the list of shared drives This role also grants full access to Reports and Drive settings.

	Google Voice Admin Can manage all Google Voice settings and provisioning. This administrator can do the following: Add locations Assign numbers to users Port numbers Change service addresses Set up desk phones Set up an auto attendant Manage user licenses

	Directory Sync Admin Can manage the sync process using Directory Sync. This administrator can do the following: Set up and run a sync using Directory Sync Update sync settings

	Reseller Admin & Indirect Reseller Admin You can assign the Reseller Admin role to a Google Workspace authorized reseller or distributor. Reseller Admins can access all of the features and permissions included with the Manage Reseller Tools privilege, including: Place orders for Google Workspace and other services that use the Admin console. Add, view, edit, and transfer resold customers. Access settings in the Partner Sales Console to view and edit support information. View billing invoices and change payment methods. Access and manage a customer’s Google Admin console, Google Workspace Admin SDK, and support cases (also requires the View Customers privilege). You can assign the Indirect Reseller Admin role to a reseller working with a Google Workspace authorized distributor. Indirect Reseller Admins can add, view, edit, and transfer resold customers. For details on assigning the roles, go to Assign Google Workspace reseller admin privileges.