Delegate administrator roles in Chrome

If your organization needs multiple Chrome administrators, you can create administrator roles in your Google Admin console. Administrator roles let you grant administrators access to settings they need while blocking access to settings they don't need.

Delegated administrator icon

With delegated administration for Chrome devices, you can grant users permissions specific to their roles, such as giving a teacher the ability to create new users and set passwords for students in his classroom, without giving him management access to all the devices in your school district. Likewise, with this feature, you can give a manager administrative access to configure the email settings of his direct reports, without giving him Super Admin permissions over your entire domain.

About Administrator Roles and Privileges

These settings give you more control of what other administrators in your organization can do. These settings can limit administrator access to specific Chrome Management tabs in the Admin console, like the following. Settings that can be delegated by organizational unit (OU) are marked as such in the third column.

Setting What permissions it gives to delegated administrators Can be delegated by OU
Manage Device Shipments READ access to Shipments. No
Manage Devices READ and WRITE access to Devices. No
Manage User Settings READ and WRITE access to User Settings for the organizational units for which the administrator has privileges. Yes
Manage Application Settings READ and WRITE access to the Apps and Extensions section of User Settings for the organizational units for which the delegated admin has privileges. This is a subcategory of User Settings, so all admins who can manage User Settings can also manage Application Settings.* Yes
Manage Device Settings READ and WRITE access to Device Settings for the organizational units for which the delegated admin has privileges. Yes
Manage User and Device Networks READ and WRITE access to Networks for the organizational units for which the delegated admin has privileges. Yes

*Use Manage Application Settings if you want to give a teacher the ability to preinstall and manage applications for his students without giving him access to all of the permissions under User Settings.

For more about delegated administration roles, see Administrator privilege details.

Setup

  1. If you haven’t already, create organizational units in Google Apps. These can be groupings such as schools and classrooms, or business subsidiaries and offices.
  2. Follow these instructions to grant administrator privileges to users in your organization.

Once you’ve assigned privileges, do the following to see which roles your user has been assigned.

  1. In your Admin console, click Users and click on the name of a user.
  2. Scroll down and click Show more at the bottom.
  3. Click Admin roles and its priviledges to see the privileges that user has.
If you choose a setting that isn't manageable by suborganization (such as Shipments), when you assign roles, you won't be able to choose a suborganization. For example, if an admin role only manages User Settings, you can assign it to a teacher for an organizational unit called "Classroom A". But if that role also manages Shipments, you won't be able to assign it to only your "Classroom A" organizational unit because the Shipments page currently doesn't support priviledges by organizational units.

Resources