[GA4] Access and data-restriction management

This article covers access and data-restriction management for Google Analytics 4 and Universal Analytics. In both versions of Analytics, you manage access by assigning roles. In Google Analytics 4, you manage data restrictions by choosing one or both of the data-restriction options described below. In Universal Analytics, you manage data restrictions by giving users access to different reporting views.

Google Analytics 4

You can manage access and data restrictions at the account and property levels.

To assign roles and data restrictions:

Click Admin.
Click Access Management in the Account or Property column.
Assign roles to new or existing members (e.g., users and groups). Learn more about adding and editing users.

Effective permissions are the roles and data restrictions that a member is assigned via other resources (like the organization, a user group, or an account that includes the current property) plus all the direct permissions assigned explicitly for the current resource.

Direct permissions are role and data restrictions that a member is assigned explicitly for the current resource (e.g., organization, account, property).

Five roles and two data restrictions are available:

Role	Explanation
Administrator	Full control of Analytics. Can manage users (add/delete users, assign any role or data restriction). Can grant full permissions to any user, including themselves, for any account or property for which they have this role. Includes permissions of the Editor role. (Replaces Manage Users permission.)
Editor	Full control of settings at the property level. Cannot manage users. Includes permissions of the Analyst role. (New name for Edit permission.)
Marketer	Can create, edit, and delete audiences, conversions, attribution-models, events, and lookback windows. Includes permissions of the Analyst role.
Analyst	Can create, edit, and delete certain property assets. Can collaborate on shared assets. Includes permissions of the Viewer role. (New name for Collaborate permission.) Property assets include things like Explorations.
Viewer	Can see settings and data; can change which data appears in reports (e.g., add comparisons, add a secondary dimension); can see shared assets via the user interface or the APIs. Cannot collaborate on shared assets. For example, shared explorations can be viewed, but not edited, by those with a Viewer role. (New name for Read & Analyze permission.)
None	The user has no role for this resource. The user may have a role for another resource.

Data restriction	Explanation
No Cost Metrics	Cannot see metrics related to cost. Cost metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information.
No Revenue Metrics	Cannot see metrics related to revenue. Revenue metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information.

Data restriction

Explanation

No Cost Metrics

Cannot see metrics related to cost.

Cost metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information.

No Revenue Metrics

Cannot see metrics related to revenue.

Revenue metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information.

Cost and revenue metrics

In addition to the metrics listed in the following sections, cost and revenue metrics include any custom metric that is identified as a cost or revenue metric and any metric derived from a cost or revenue metric.

These lists will be updated if Analytics adds additional cost or revenue metrics.

Cost metrics

Google Ads cost

Google Ads cost per click

Google Ads video cost

Cost per conversion

Non-Google cost

Non-Google cost per click

Non-Google cost per conversion

Return on ad spend

Return on non-Google ad spend

Revenue metrics

Ad revenue

Ads preferred last click attributed revenue

Average daily revenue

Average event revenue

Average product revenue

Average product value

Average purchase revenue

Average purchase revenue per user

Average revenue per buyer

Average revenue per paid user (ARPPU)

Average revenue per user (ARPU)

Combined revenue per cohort total first opens

Combined revenue per cohort total first visits

Combined revenue per cohort total first visits and first opens

Data driven attribution revenue

Ecommerce purchase quantity

Ecommerce revenue

Event value

Event revenue

First click attributed revenue

Item price

Item refund

Item revenue

Last click attributed revenue

Lifetime ad revenue

Lifetime value (LTV)

Linear attributed revenue

Max daily revenue

Min daily revenue

Position based attributed revenue

Predicted revenue

Product revenue

Purchase revenue

Refunds

Return on ad spend

Return on non-Google ad spend

Revenue

Time decay attributed revenue

Total ad revenue

Total revenue

Parent roles are inherited by default (e.g., account > property). For example, when you give a user a role at the account level, that user then has the same role for all the properties in that account.

A user's effective permissions equate to the most-permissive role for that resource.

For example, if a user has the Editor role for the account, then that user has the Editor role for all of the properties in that account, regardless of whether the user is also assigned a less-permissive role for one of the properties.

In addition, if a user is assigned a more-permissive role for a property than the user has at the account level, then that more-permissive role applies for that property.

You can add data restrictions as direct permissions but you cannot remove them if they're in effect as inherited permissions. For example, if a user is assigned No Cost Metrics at the account level, then that user cannot see cost metrics for any property in the account. You could, however, add the No Revenue Metrics restriction for one or more of the properties in the account.

As an administrator, you have a couple of options to see which users have which roles. From the User Management page at the account or property level:

Search for a specific user name to see that user's roles.
Click the Account Roles column head to sort the list by roles.

How data restrictions affect other Analytics features

Data restrictions are enforced in both the Analytics interface and analogous Analytics API calls.

Data restrictions are created and applied via Analytics access management. Users may not be subject to these restrictions if they have permissions for Analytics based on permissions in other Google products that are linked to Analytics.

Feature

Effect

Reports

Restricted metric values and values derived from restricted metrics do not appear in reports. Users see 0 instead.

Restricted metrics are available in metric pickers associated with reports (e.g., when customizing a report). Users subject to data restrictions can add those metrics, but cannot view the results (e.g., can add the metrics to custom reports, but cannot see the metric values in those reports).

Explorations

Restricted metrics do not appear in explorations.

Restricted metrics are available in metric pickers associated with explorations (e.g., when creating an exploration). Users subject to data restrictions can add those metrics, but cannot view the results (e.g,, can add the metrics to explorations, but cannot see the metric values in those explorations).

Audiences

Restricted metrics are available in metric pickers associated with audiences. Users subject to data restrictions can create audiences based on restricted metrics and edit audience names after creation, but those users are subject to the limitations listed below.

Cannot use an audience (e.g., as a dimension filter) that includes restricted metrics.

Cannot see audience count for audiences that include restricted metrics.

Cannot add audience triggers to audiences based on restricted metrics.

Automated insights

Cannot see automated insights based on restricted metrics in the user interface.

Custom insights

Users with permission can create and edit custom insights based on restricted metrics.

Cannot see custom insights in the user interface and cannot receive them via email.

Custom metrics

Users with permission can create custom metrics and indicate that those metrics include cost or revenue data. Users with corresponding data restrictions are not able to remove indications that custom metrics include cost or revenue data. Access to those custom metrics is subject to all the limitations listed in this article.

Analytics-Firebase linking

Firebase project users are automatically granted Analytics roles when you link a Firebase project to an Analytics property:

Firebase users in a project, based on their highest Firebase firebaseanalytics permission, are assigned to one of four Firebase virtual users:
- Firebase project <project number> Editor
- Firebase project <project number> Marketer
- Firebase project <project number> Viewer (no data restrictions)
- Firebase project <project number> Viewer (no access to cost or revenue data)
The Firebase virtual users are in turn assigned to default roles in the linked Analytics property.

If you have this Firebase role/permission	You are assigned to this Firebase virtual user	Which is assigned this Analytics role
firebaseanalytics.resources. googleAnalyticsEdit	Firebase project <project number> Editor	Editor No data restrictions
firebaseanalytics.resources. googleAnalyticsAdditionalAccess	Firebase project <project number> Marketer	Marketer
firebaseanalytics.resources. googleAnalyticsReadAndAnalyze	Firebase project <project number> Viewer	Viewer No data restrictions
firebaseanalytics.resources. googleAnalyticsRestricedAccess	Firebase project <project number> Viewer	Viewer No access to cost or revenue data

In Analytics access management, each Firebase virtual user represents a group of users in the linked Firebase project.

As an Analytics Administrator, you can change the Analytics role and data restrictions that are assigned to a property's Firebase virtual users. If you change the Analytics role and data restrictions assigned to a Firebase virtual user, you affect everyone in the Firebase project that is assigned to that virtual user

The role assignments and data restrictions persist until the link between the Firebase project and the Analytics property is deleted.

Analytics Administrators can edit access for the Firebase roles in Admin > linked property > Property Access Management.

If you linked your Firebase project to a Google Analytics 4 property before January 4, 2023, the Firebase linked users may have different roles and data access in Analytics than described in the table above.

Analytics-Ads linking

Google Ads users are automatically granted Analytics roles when you link a Google Ads account to an Analytics property. You can manage access to allow Google Ads users to use Analytics features from within Google Ads, such as creating Analytics audiences from Google Ads.

Users in a Google Ads account, based on their Google Ads account access level, are assigned to one of five Google Ads linked users:
- Google Ads account <account number> administrator
- Google Ads account <account number> standard
- Google Ads account <account number> read-only
- Google Ads account <account number> billing
- Google Ads account <account number> email-only
The Google Ads linked users are in turn assigned to roles in the linked Analytics property by the Analytics Administrator.
- Google Ads linked users must be an Administrator, Editor, or Marketer on the linked property to create Analytics audiences from within Google Ads.

If you have this Google Ads account access level	You are assigned to this Google Ads linked user	Which has this recommended Analytics role assignment
Administrator	Google Ads account <account number> administrator	Editor
Standard	Google Ads account <account number> standard	Marketer
Read only	Google Ads account <account number> read-only	Viewer
Billing	Google Ads account <account number> billing	Viewer
Email only	Google Ads account <account number> email-only	Viewer

In Analytics access management, each Google Ads linked user represents a group of users in the linked Google Ads account.

As an Analytics Administrator, you can change the Analytics role and data restrictions that are assigned to a property’s Google Ads linked users. If you change the Analytics role and data restrictions assigned to a Google Ads linked user, you affect everyone in the Google Ads account that is assigned to that linked user.

The role assignments and data restrictions persist until the link between the Google Ads account and the Analytics property is deleted.

As an Analytics Administrator, you can view and edit access for Google Ads linked users in Admin > linked property > Google Ads Links. You can also configure their access just as you would for any user.

To see which users have which roles, you have a couple of options. From the Account Access Management page at the account or property level:

Search for a specific user name to see that user's permissions.
Click the Account Permissions column head to sort the list by permissions.

Universal Analytics

You can assign user permissions In Analytics at the account, property, and view levels.

To assign permissions:

Click Admin.
Click Access Management in the Account, Property, or View column.
Assign roles to new or existing members (e.g., users and groups). Learn more about adding and editing users.

Direct permissions are role and data restrictions that a member is assigned explicitly for the current resource (e.g., organization, account, property).

Five roles and two data restrictions are available:

Role	Explanation
Administrator	Full control of Analytics. Can manage users (add/delete users, assign any role or data restriction). Can grant full permissions to any user, including themselves, for any account or property for which they have this role. Includes Editor role. (Replaces Manage Users permission.)
Editor	Full control of settings at the property level. Cannot manage users. Includes Analyst role. (New name for Edit permission.)
Marketer	Functionally the same the Analyst role in Universal Analytics.
Analyst	Can create, edit, delete, and share property assets. Can collaborate on shared assets. Includes Viewer role. (New name for Collaborate permission.) Property assets include things like: Attribution models Conversion Segments Custom reports Dashboards
Viewer	Can see report and configuration data; can manipulate data within reports (e.g., add comparisons, add a secondary dimension); can create personal assets, and share them, and see shared assets via the user interface or the APIs. Cannot collaborate on shared assets. (New name for Read & Analyze permission.)
None	The user has no role for this object. The user may have a role for another object.

As an administrator, you have a couple of options to see which users have which roles. From the Account Access Management page at the account, property, or view level:

Search for a specific user name to see that user's permissions.
Click the Account Permissions column head to sort the list by permissions.

Was this helpful?

How can we improve it?