Admin privileges for the security center

The security center is available with G Suite Enterprise, G Suite Enterprise for Education, Drive Enterprise, and Cloud Identity Premium editions.

Super Admins have automatic access to all security center features, including the security dashboard, the security health page, and the investigation tool. You can give delegated admins access to a specific security center feature (for example, just the security dashboard) by granting them the administrator privileges needed to access that feature. 

For general instructions about granting privileges to delegated admins, see Create custom administrator roles.

Grant security center privileges to an admin

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Admin roles.

    To see Admin roles, you might have to click More controls at the bottom. 

  3. Under User Created Roles, click a custom administrator role.

    Tip: Click Create a new role if you need to create a custom administrator role.

  4. Click the Privileges tab.
  5. Check the privileges for the security center area you want to grant access to:
    Security area Privilege required
    Security page

    Security and then Security Settings

    To open the Security page, click the Security icon on the Admin console home page, or click Security in the main menu at the top-left corner.

    Security dashboard

    Services and then Security Center and then Full admin rights for Security Center and then Dashboards

    Note: Some admins with Reports privilege may have access to the security dashboard. For the security center, the new Dashboards privilege has replaced the Reports privilege. (The Reports privilege for non-security-center reports in the Google Admin console will not be changed.)

    Security health
    • Services and then Security Center and then Full admin rights for Security Center and then Security Health
    • Organizational Units and then Read
    • Users and then Read
    • Setting-specific privileges. These depend on the setting or group of settings you want to give access to. See the Settings reference for the security health page below. If no setting-specific privileges are assigned, the security health page will be accessible, but won't show any settings. 
    Investigation tool

    Services and then Security Center and then Full admin rights for Security Center and then Investigation Tool

    For more information see Admin privileges for the investigation tool.

Settings reference for the security health page

Super Admins automatically have access to all security health settings. For other admins, they need super admins to grant them the additional privileges listed below for each setting (or group of settings). If an admin doesn't have the required privileges for specific settings, those settings won't appear on the security health page.

Note: The security health settings for two-step verification for users, security key enforcement for users, and groups creation and management, are only visible to super admins and can't be delegated.

Security health setting   Privileges required
  • Automatic email forwarding
  • Comprehensive mail storage
  • Bypassing spam filters for internal senders
  • POP and IMAP access for users
  • DKIM
  • SPF record
  • DMARC
  • Approved senders without authentication
  • Approved domain senders
  • Email whitelist IPs
  • Add spam headers setting to all default routing rules
  • MX record configuration
  • Attachment safety
  • Links and external images safety
  • Spoofing and authentication safety
  • MTA-STS configuration

Available with G Suite Enterprise

Gmail and then Settings
  • Groups creation and membership

Available with G Suite Enterprise and Drive Enterprise

Only available for Super Admin accounts.

  • Sites sharing policy
  • G Suite Marketplace applications usage

Available with G Suite Enterprise and Drive Enterprise

 

  • Hangouts out of domain warning

Available with G Suite Enterprise

Services and then Service Settings

Note: Assigning the Service Settings privilege automatically checks the Settings box for Gmail, Drive, and Calendar as well. All the Gmail, Drive and Calendar security health settings are visible to an admin who is assigned the Service Settings privilege.

  • Calendar sharing policy

Available with G Suite Enterprise

Services and then Calendar and then All Settings

  • File publishing on the web
  • Access Checker
  • Warning for out of domain sharing
  • Drive sharing settings
  • Google sign-in requirement for external collaborators
  • Access to offline docs
  • Drive add-ons
  • Desktop access to Drive

Available with G Suite Enterprise and Drive Enterprise

Services and then Drive and Docs and then Settings

  • Mobile management
  • Blocking of compromised mobile devices
  • Mobile inactivity reports
  • Mobile password requirements
  • Device encryption
  • Application verification
  • Installation of mobile apps from unknown sources
  • External media storage
  • Auto account wipe

Available with G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

Services and then Mobile Device Management and then Manage Devices and Settings

  • Two-step verification for admins
  • Security key enforcement for admins

Available for G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

Security and then User Security Management 

  • Two-step verification for users
  • Security key enforcement for users

Available with G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

Only available for Super Admin accounts.

Was this helpful?
How can we improve it?