Pre-built administrator roles

The easiest way to give administrator privileges to another user is to assign pre-built administrator roles. Each role grants one or more privileges that together, allow performing a common business function. For example, one role allows managing user accounts, another role manages groups, another role manages calendars and resources, and so on. Assign multiple roles to grant all privileges in those roles.

You can also create a custom admin role to assign specific privileges to individual users.

Assign roles now Create a custom role

Here's what each role can do:

Super Admin

Has access to all features in the Admin console and Admin API, and can manage every aspect of your organization's account.

Super administrators also have full access to all users' calendars and event details. After you assign the Super Admin role to a user, it can take up to 24 hours for the calendar privileges to be available.

Only super administrators can...

  • Create or assign administrator roles.
  • Reset administrator passwords.
  • Transfer ownership of files during the user deletion process.
  • Transfer unmanaged user accounts to Google Workspace managed user accounts.
  • Restore deleted users.
  • Manage an administrator's settings.
  • Set up billing and control license management.
  • Allow users to turn on 2-Step Verification.
  • Install Google Workspace Marketplace apps.
  • Manage Google Calendar resource access-level controls.
  • Manage global Directory settings.
  • Use the data migration service.
  • Grant domain-wide delegation/manage API client access.
  • Set up Google as a SAML identity provider and add/modify SAML apps. 
At least one user in your account needs to be a super administrator, but we recommend having at least two. That way, if one of you forgets your password the other can reset it for you. You can also allow super admins to reset their own passwords. For details, see Reset your administrator password.

Groups Admin

Has full control over Google Groups tasks in your Admin console. This administrator can perform the following tasks both from the Admin console and through the Admin API:

  • View user profiles and your organizational structure.
  • Create new groups in the Admin console.
  • Manage members of groups created in the Admin console.
  • Manage group access settings.
  • Delete groups from the Admin console.
  • View organizational units.

(Beta) The Groups Admin also has the Privilege required to add/remove security label on groups resource. This task can only be performed in the Admin API.

There are 2 more group admin roles to delegate administration with more restricted privileges. Both of these roles can work in the Admin console and the Admin API:  

  • Groups Reader can read Groups information, but not change or update any of it.
  • Groups Editor has the permissions of a Groups admin, except for the Privilege required to add/remove security label on groups resource. 

User Management Admin

Can perform all actions on users who aren't administrators. This administrator can perform the following tasks both from the Admin console and via the Admin API:

  • View user profiles and your organizational structure.
  • View organizational units.
  • Create and delete user accounts. *
  • Rename users and change passwords. *
  • Manage a user's individual security settings. *
  • Perform these other user management tasks.*

When you assign a user to the User Management Admin role, you can limit their privileges to specific organizational units.

* Applies only for users who aren't administrators. This administrator can't assign administrator privileges, reset an administrator's password, or make other changes to an administrator account. Only a super administrator can perform those tasks.

Help Desk Admin

Can reset passwords for users who aren't administrators, both in the Admin console and via the Admin API. This administrator can also view user profiles and your organizational structure. This administrator can view organizational units.

When you assign a user to the Help Desk Admin role, you can limit their privileges to specific organizational units.

Services Admin

Can manage certain service settings and devices in the Admin console, including Calendar and Google Drive and Docs. This administrator can:

  • Turn services on or off.*
  • Change service settings and permissions. *
  • Create, edit, and delete Calendar resources.
    Note: Users with the Services Admin role can’t modify the sharing settings of Calendar resources.
  • Manage Chrome and mobile devices listed in the Admin console.
  • View organizational units.
  • Use the alert center (full access).

* Applies only for certain products added to your account (Google Workspace services, Google Voice, and so on), Google Workspace Marketplace apps, and free Google services, such as Blogger. Some products and services, such as Google Vault and Google Cloud Print, can’t be managed by the Services Admin role.

Mobile Admin

Can manage mobile devices and endpoints using Google endpoint management. This administrator can:

  • Provision and approve devices.
  • Manage apps.
  • Block or wipe devices and accounts.
  • Set device policies.
  • See groups and users in the domain.

If you don’t see this role in your Admin console, it is only available to customers who signed up for Google Workspace after February 2018. If you joined before this date, you can create a custom role with the same access. For details, see Create, edit, and delete custom admin roles.

Google Voice Admin

Can manage all Google Voice settings and provisioning except assign Voice licenses. This administrator can:

  • Add locations.
  • Assign numbers to users.
  • Port numbers.
  • Change service addresses.
  • Set up desk phones.
  • Set up an auto attendant.

Reseller Admin (applies only to Google Workspace Authorized Resellers)

Can administer, provision, and manage their customers. This administrator has access to:
  • The Channel Service console
  • Admin consoles for their customers' domains (optional)
  • Reseller-related APIs

Users who have only the Reseller Admin role bypass their own organization's Admin console when they sign in.

Was this helpful?
How can we improve it?