- Account or property administrator can view all the contact details for users on a property, but there are other places where some user information is presented, for example, the name or email of whoever made the change can be seen in Change History (editor or admin), Trashcan (admin), or Explorations (all access). This information is limited and required for day-to-day journeys.
- Other users of the property may be able to view the contact details of the other users of the property when contextually necessary. Note that the PII is visible with restriction, but the users that edit property assets can be detected.
This article covers access and data-restriction management for Google Analytics 4. In Google Analytics 4, you manage data restrictions by choosing one or both of the data-restriction options described below.
In this article:Assign roles and data restrictions on the account level
- In Admin, under Account, click Account access management.
Note: The previous link opens to the last Analytics property you accessed. You can change the property using the property selector.You must be an Administrator at the account level to assign roles and data restrictions.
- Assign roles to new or existing members (e.g., users and groups). Learn how to Add, edit, and delete Analytic users and user groups.
Assign roles and data restrictions on the property level
- In Admin, under Property, click Property access management.
Note: The previous link opens to the last Analytics property you accessed. You can change the property using the property selector.You must be an Administrator at the property level to assign roles and data restrictions.
- Assign roles to new or existing members (e.g., users and groups). Learn how to Add, edit, and delete Analytic users and user groups.
Effective permissions are the roles and data restrictions that a member is assigned via other resources (like the organization, a user group, or an account that includes the current property) plus all the direct permissions assigned explicitly for the current resource.
Direct permissions are role and data restrictions that a member is assigned explicitly for the current resource (e.g., organization, account, property).
Five roles and 2 data restrictions are available:
Role | Explanation |
---|---|
Administrator |
Full control of Analytics. Can manage users (add/delete users, assign any role or data restriction). Can grant full permissions to any user, including themselves, for any account or property for which they have this role. Includes permissions of the Editor role. (Replaces Manage Users permission.) |
Editor |
Full control of settings at the property level. Cannot manage users. Includes permissions of the Analyst role. (New name for Edit permission.) |
Marketer |
Can create, edit, and delete audiences, events, and key events. Can edit attribution-model settings. Includes permissions of the Analyst role. |
Analyst |
Can share created explorations to other users of the property. Can request unsampled explorations (Google Analytics 360 only). Includes permissions of the Viewer role. (New name for Collaborate permission.) |
Viewer |
Can see settings and data; can change which data appears in reports (e.g., add comparisons, add a secondary dimension); can see shared assets via the user interface or the APIs. Can create, edit, and delete created explorations. (New name for Read & Analyze permission.) |
None | The user has no role for this resource. The user may have a role for another resource. |
Data restriction | Explanation |
---|---|
No Cost Metrics |
Cannot see metrics related to cost. Cost metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information. |
No Revenue Metrics |
Cannot see metrics related to revenue. Revenue metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information. |
Cost and revenue metrics
In addition to the metrics listed in the following sections, cost and revenue metrics include any custom metric that is identified as a cost or revenue metric and any metric derived from a cost or revenue metric.
Cost metrics
Google Ads cost
Google Ads cost per click
Google Ads video cost
Cost per key event interaction
Non-Google cost
Non-Google cost per click
Non-Google cost per key event interaction
Return on ad spend
Return on non-Google ad spend
Revenue metrics
Ad revenue
Ads preferred last click attributed revenue
Average daily revenue
Average event revenue
Average product revenue
Average product value
Average purchase revenue
Average purchase revenue per user
Average revenue per buyer
Average revenue per paid user (ARPPU)
Average revenue per user (ARPU)
Combined revenue per cohort total first opens
Combined revenue per cohort total first visits
Combined revenue per cohort total first visits and first opens
Data driven attribution revenue
Ecommerce purchase quantity
Ecommerce revenue
Event value
Event revenue
First click attributed revenue
Item price
Item refund
Item revenue
Last click attributed revenue
Lifetime ad revenue
Lifetime value (LTV)
Linear attributed revenue
Max daily revenue
Min daily revenue
Position based attributed revenue
Predicted revenue
Product revenue
Purchase revenue
Refunds
Return on ad spend
Return on non-Google ad spend
Revenue
Time decay attributed revenue
Total ad revenue
Total revenue
Parent roles are inherited by default (e.g., account > property). For example, when you give a user a role at the account level, that user then has the same role for all the properties in that account.
A user's effective permissions equate to the most-permissive role for that resource.
For example, if a user has the Editor role for the account, then that user has the Editor role for all of the properties in that account, regardless of whether the user is also assigned a less-permissive role for one of the properties.
In addition, if a user is assigned a more-permissive role for a property than the user has at the account level, then that more-permissive role applies for that property.
You can add data restrictions as direct permissions but you cannot remove them if they're in effect as inherited permissions. For example, if a user is assigned No Cost Metrics at the account level, then that user cannot see cost metrics for any property in the account. You could, however, add the No Revenue Metrics restriction for one or more of the properties in the account.
As an administrator, you have a couple of options to see which users have which roles. From the User Management page at the account or property level:
- Search for a specific user name to see that user's roles.
- Click the Account Roles column head to sort the list by roles.
How data restrictions affect other Analytics features
Data restrictions are enforced in both the Analytics interface and analogous Analytics API calls.
Data restrictions are created and applied via Analytics access management. Users may not be subject to these restrictions if they have permissions for Analytics based on permissions in other Google products that are linked to Analytics.
Feature | Effect | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reports |
Restricted metric values and values derived from restricted metrics do not appear in reports. Users see 0 instead. Restricted metrics are available in metric pickers associated with reports (e.g., when customizing a report). Users subject to data restrictions can add those metrics, but cannot view the results (e.g., can add the metrics to custom reports, but cannot see the metric values in those reports). |
||||||||||||||||||
Explorations |
Restricted metrics do not appear in explorations. Restricted metrics are available in metric pickers associated with explorations (e.g., when creating an exploration). Users subject to data restrictions can add those metrics, but cannot view the results (e.g,, can add the metrics to explorations, but cannot see the metric values in those explorations). |
||||||||||||||||||
Audiences |
Restricted metrics are available in metric pickers associated with audiences. Users subject to data restrictions can create audiences based on restricted metrics and edit audience names after creation, but those users are subject to the limitations listed below. Cannot use an audience (e.g., as a dimension filter) that includes restricted metrics. Cannot see audience count for audiences that include restricted metrics. Cannot add audience triggers to audiences based on restricted metrics. |
||||||||||||||||||
Automated insights | Cannot see automated insights based on restricted metrics in the user interface. | ||||||||||||||||||
Custom insights |
Users with permission can create and edit custom insights based on restricted metrics. Cannot see custom insights in the user interface and cannot receive them via email. |
||||||||||||||||||
Custom metrics | Users with permission can create custom metrics and indicate that those metrics include cost or revenue data. Users with corresponding data restrictions are not able to remove indications that custom metrics include cost or revenue data. Access to those custom metrics is subject to all the limitations listed in this article. | ||||||||||||||||||
Analytics-Firebase linking |
Firebase project users are automatically granted Analytics roles when you link a Firebase project to an Analytics property:
In Analytics access management, each Firebase virtual user represents a group of users in the linked Firebase project. As an Analytics Administrator, you can change the Analytics role and data restrictions that are assigned to a property's Firebase virtual users. If you change the Analytics role and data restrictions assigned to a Firebase virtual user, you affect everyone in the Firebase project that is assigned to that virtual user The role assignments and data restrictions persist until the link between the Firebase project and the Analytics property is deleted. Analytics Administrators can edit access for the Firebase roles in Admin > linked property > Property Access Management. If you linked your Firebase project to a Google Analytics 4 property before January 4, 2023, the Firebase linked users may have different roles and data access in Analytics than described in the table above. |
||||||||||||||||||
Analytics-Ads linking |
Google Ads users are automatically granted Analytics roles when you link a Google Ads account to an Analytics property. You can manage access to allow Google Ads users to use Analytics features from within Google Ads, such as creating Analytics audiences from Google Ads.
In Analytics access management, each Google Ads linked user represents a group of users in the linked Google Ads account. As an Analytics Administrator, you can change the Analytics role and data restrictions that are assigned to a property’s Google Ads linked users. If you change the Analytics role and data restrictions assigned to a Google Ads linked user, you affect everyone in the Google Ads account that is assigned to that linked user. The role assignments and data restrictions persist until the link between the Google Ads account and the Analytics property is deleted. As an Analytics Administrator, you can view and edit access for Google Ads linked users in Admin > linked property > Google Ads Links. You can also configure their access just as you would for any user. |
To see which users have which roles, you have a couple of options. From the Account Access Management page at the account or property level:
- Search for a specific user name to see that user's permissions.
- Click the Account Permissions column head to sort the list by permissions.