[GA4] Access and data-restriction management

Learn how to assign roles and data restrictions in your Google Analytics account or property to manage access
Note:
  • Account or property administrator can view all the contact details for users on a property, but there are other places where some user information is presented, for example, the name or email of whoever made the change can be seen in Change History (editor or admin), Trashcan (admin), or Explorations (all access). This information is limited and required for day-to-day journeys.
  • Other users of the property may be able to view the contact details of the other users of the property when contextually necessary. Note that the PII is visible with restriction, but the users that edit property assets can be detected.

This article covers access and data-restriction management for Google Analytics 4. In Google Analytics 4, you manage data restrictions by choosing one or both of the data-restriction options described below.

In this article:

Assign roles and data restrictions on the account level

  1. In Admin, under Account, click Account access management.

    Note: The previous link opens to the last Analytics property you accessed. You can change the property using the property selector.You must be an Administrator at the account level to assign roles and data restrictions.

  2. Assign roles to new or existing members (e.g., users and groups). Learn how to Add, edit, and delete Analytic users and user groups.

Assign roles and data restrictions on the property level

  1. In Admin, under Property, click Property access management.
    Note: The previous link opens to the last Analytics property you accessed. You can change the property using the property selector.You must be an Administrator at the property level to  assign roles and data restrictions.
  2. Assign roles to new or existing members (e.g., users and groups). Learn how to Add, edit, and delete Analytic users and user groups.

Effective permissions are the roles and data restrictions that a member is assigned via other resources (like the organization, a user group, or an account that includes the current property) plus all the direct permissions assigned explicitly for the current resource.

Direct permissions are role and data restrictions that a member is assigned explicitly for the current resource (e.g., organization, account, property).

Five roles and 2 data restrictions are available:

Role Explanation
Administrator

Full control of Analytics. Can manage users (add/delete users, assign any role or data restriction). Can grant full permissions to any user, including themselves, for any account or property for which they have this role.

Includes permissions of the Editor role.

(Replaces Manage Users permission.)

Editor

Full control of settings at the property level. Cannot manage users. Includes permissions of the Analyst role.

(New name for Edit permission.)

Marketer

Can create, edit, and delete audiences, events, and key events. Can edit attribution-model settings.

Includes permissions of the Analyst role.

Analyst

Can share created explorations to other users of the property. Can request unsampled explorations (Google Analytics 360 only).

Includes permissions of the Viewer role.

(New name for Collaborate permission.)

Viewer

Can see settings and data; can change which data appears in reports (e.g., add comparisons, add a secondary dimension); can see shared assets via the user interface or the APIs. Can create, edit, and delete created explorations.

(New name for Read & Analyze permission.)

None The user has no role for this resource. The user may have a role for another resource.

 

Data restriction Explanation
No Cost Metrics

Cannot see metrics related to cost.

Cost metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information.

No Revenue Metrics

Cannot see metrics related to revenue.

Revenue metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information.

Cost and revenue metrics

In addition to the metrics listed in the following sections, cost and revenue metrics include any custom metric that is identified as a cost or revenue metric and any metric derived from a cost or revenue metric.

These lists will be updated if Analytics adds additional cost or revenue metrics.

Cost metrics

Google Ads cost

Google Ads cost per click

Google Ads video cost

Cost per key event interaction

Non-Google cost

Non-Google cost per click

Non-Google cost per key event interaction

Return on ad spend

Return on non-Google ad spend

Revenue metrics

Ad revenue

Ads preferred last click attributed revenue

Average daily revenue

Average event revenue

Average product revenue

Average product value

Average purchase revenue

Average purchase revenue per user

Average revenue per buyer

Average revenue per paid user (ARPPU)

Average revenue per user (ARPU)

Combined revenue per cohort total first opens

Combined revenue per cohort total first visits

Combined revenue per cohort total first visits and first opens

Data driven attribution revenue

Ecommerce purchase quantity

Ecommerce revenue

Event value

Event revenue

First click attributed revenue

Item price

Item refund

Item revenue

Last click attributed revenue

Lifetime ad revenue

Lifetime value (LTV)

Linear attributed revenue

Max daily revenue

Min daily revenue

Position based attributed revenue

Predicted revenue

Product revenue

Purchase revenue

Refunds

Return on ad spend

Return on non-Google ad spend

Revenue

Time decay attributed revenue

Total ad revenue

Total revenue

Parent roles are inherited by default (e.g., account > property). For example, when you give a user a role at the account level, that user then has the same role for all the properties in that account.

A user's effective permissions equate to the most-permissive role for that resource.

For example, if a user has the Editor role for the account, then that user has the Editor role for all of the properties in that account, regardless of whether the user is also assigned a less-permissive role for one of the properties.

In addition, if a user is assigned a more-permissive role for a property than the user has at the account level, then that more-permissive role applies for that property.

You can add data restrictions as direct permissions but you cannot remove them if they're in effect as inherited permissions. For example, if a user is assigned No Cost Metrics at the account level, then that user cannot see cost metrics for any property in the account. You could, however, add the No Revenue Metrics restriction for one or more of the properties in the account.

As an administrator, you have a couple of options to see which users have which roles. From the User Management page at the account or property level:

  • Search for a specific user name to see that user's roles.
  • Click the Account Roles column head to sort the list by roles.

How data restrictions affect other Analytics features

Data restrictions are enforced in both the Analytics interface and analogous Analytics API calls.

Data restrictions are created and applied via Analytics access management. Users may not be subject to these restrictions if they have permissions for Analytics based on permissions in other Google products that are linked to Analytics.

Feature Effect
Reports

Restricted metric values and values derived from restricted metrics do not appear in reports. Users see 0 instead.

Restricted metrics are available in metric pickers associated with reports (e.g., when customizing a report). Users subject to data restrictions can add those metrics, but cannot view the results (e.g., can add the metrics to custom reports, but cannot see the metric values in those reports).

Explorations

Restricted metrics do not appear in explorations.

Restricted metrics are available in metric pickers associated with explorations (e.g., when creating an exploration). Users subject to data restrictions can add those metrics, but cannot view the results (e.g,, can add the metrics to explorations, but cannot see the metric values in those explorations).

Audiences

Restricted metrics are available in metric pickers associated with audiences. Users subject to data restrictions can create audiences based on restricted metrics and edit audience names after creation, but those users are subject to the limitations listed below.

Cannot use an audience (e.g., as a dimension filter) that includes restricted metrics.

Cannot see audience count for audiences that include restricted metrics.

Cannot add audience triggers to audiences based on restricted metrics.

Automated insights Cannot see automated insights based on restricted metrics in the user interface.
Custom insights

Users with permission can create and edit custom insights based on restricted metrics.

Cannot see custom insights in the user interface and cannot receive them via email.

Custom metrics Users with permission can create custom metrics and indicate that those metrics include cost or revenue data. Users with corresponding data restrictions are not able to remove indications that custom metrics include cost or revenue data. Access to those custom metrics is subject to all the limitations listed in this article.
Analytics-Firebase linking

Firebase project users are automatically granted Analytics roles when you link a Firebase project to an Analytics property:

  • Firebase users in a project, based on their highest Firebase firebaseanalytics permission, are assigned to one of 4 Firebase virtual users:
    • Firebase project <project number> Editor
    • Firebase project <project number> Marketer
    • Firebase project <project number> Viewer (no data restrictions)
    • Firebase project <project number> Viewer (no access to cost or revenue data)
  • The Firebase virtual users are in turn assigned to default roles in the linked Analytics property.
If you have this Firebase role/permission You are assigned to this Firebase virtual user Which is assigned this Analytics role

firebaseanalytics.resources.

googleAnalyticsEdit

Firebase project <project number> Editor

Editor

No data restrictions

firebaseanalytics.resources.

googleAnalyticsAdditionalAccess

Firebase project <project number> Marketer Marketer

firebaseanalytics.resources.

googleAnalyticsReadAndAnalyze

Firebase project <project number> Viewer

Viewer

No data restrictions

firebaseanalytics.resources.

googleAnalyticsRestricedAccess

Firebase project <project number> Viewer

Viewer

No access to cost or revenue data

In Analytics access management, each Firebase virtual user represents a group of users in the linked Firebase project.

As an Analytics Administrator, you can change the Analytics role and data restrictions that are assigned to a property's Firebase virtual users. If you change the Analytics role and data restrictions assigned to a Firebase virtual user, you affect everyone in the Firebase project that is assigned to that virtual user

The role assignments and data restrictions persist until the link between the Firebase project and the Analytics property is deleted.

Analytics Administrators can edit access for the Firebase roles in Admin > linked property > Property Access Management.

If you linked your Firebase project to a Google Analytics 4 property before January 4, 2023, the Firebase linked users may have different roles and data access in Analytics than described in the table above.

Analytics-Ads linking

Google Ads users are automatically granted Analytics roles when you link a Google Ads account to an Analytics property. You can manage access to allow Google Ads users to use Analytics features from within Google Ads, such as creating Analytics audiences from Google Ads.

  • Users in a Google Ads account, based on their Google Ads account access level, are assigned to one of 5 Google Ads linked users:
    • Google Ads account <account number> administrator
    • Google Ads account <account number> standard
    • Google Ads account <account number> read-only
    • Google Ads account <account number> billing
    • Google Ads account <account number> email-only
  • The Google Ads linked users are in turn assigned to roles in the linked Analytics property by the Analytics Administrator.
    • Google Ads linked users must be an Administrator, Editor, or Marketer on the linked property to create Analytics audiences from within Google Ads.
If you have this Google Ads account access level You are assigned to this Google Ads linked user Which has this recommended Analytics role assignment

Administrator

Google Ads account <account number> administrator

Editor

Standard

Google Ads account <account number> standard

Marketer

Read only

Google Ads account <account number> read-only

Viewer

Billing

Google Ads account <account number> billing

Viewer

Email only

Google Ads account <account number> email-only

Viewer

In Analytics access management, each Google Ads linked user represents a group of users in the linked Google Ads account.

As an Analytics Administrator, you can change the Analytics role and data restrictions that are assigned to a property’s Google Ads linked users. If you change the Analytics role and data restrictions assigned to a Google Ads linked user, you affect everyone in the Google Ads account that is assigned to that linked user.

The role assignments and data restrictions persist until the link between the Google Ads account and the Analytics property is deleted.

As an Analytics Administrator, you can view and edit access for Google Ads linked users in Admin > linked property > Google Ads Links. You can also configure their access just as you would for any user.

To see which users have which roles, you have a couple of options. From the Account Access Management page at the account or property level:

  • Search for a specific user name to see that user's permissions.
  • Click the Account Permissions column head to sort the list by permissions.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
7138854564774267050
true
Search Help Center
true
true
true
true
true
69256
true
false