If you don't want to give a user full access to the Google Admin console, you can let them perform only a subset of administrative tasks. Do this by assigning an admin role. You can assign more than one admin role to a user.
You can also assign an admin role to a service account, rather than a user. For example, you can use a service account admin to create and update groups and group memberships with applications outside of the Admin console using the Cloud Identity Groups API.
How administrator roles work
In the Admin console, admins can only view information and perform tasks that their role's privileges allow. For example, if you assign the pre-built User Management Admin role to someone, they can only view and modify specific user settings for people who aren’t admins.
How role assignment limits work
You can set any role to apply across all of your organizational units. For these roles, you can make up to 500 total assignments, regardless of the number of roles. For example, you could assign one role to 300 users or service accounts and another role to 200 users or service accounts.
You can apply some roles to organizational units instead. For these roles, you can make up to 500 total assignments for each organizational unit, regardless of the number of roles. To see if a role can be applied to organizational units, go to the user's role assignment page and next to All organizational units, look for Edit . Examples include the User Management Admin prebuilt role or a custom role that has at least one User privilege.
If you assigned more than 500 roles at any level before the limits went into effect, we recommend adjusting your assignments to bring them under the limit.
Before you begin
Step 1: Review any pre-built or custom roles already used
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu
Account
Admin roles.
- Point to the role and then View privileges or View admins to see the admins assigned to the role.
Step 2: Decide on the type of role
- Assign a pre-built system role for performing common tasks. Review the Pre-built administrator roles.
- Create and assign a custom role that has different access levels. If so, you need to create the role first. Go to Create a custom role.
Assign roles
Expand section | Collapse all & go to top
You must be signed in as a super administrator for this task.
Assign roles to one user-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu
Directory
Users.
- Find the user in the list.
For tips, go to Find a user account.
- Click the user’s name to open their account page.
- Scroll down and click Admin roles and privileges.
- Next to the pre-built or custom role, click Turn on
.
If you don’t see Turn on
, click anywhere under Roles to reveal the switches.
- (Optional) To restrict the admin's role to a specific organizational unit, next to All organizational units, click Edit
, select the organizational units, and click Done.
If you don’t see Edit
, the role cannot be applied to organizational units.
- Click Save.
Tips:
- In the Privileges section, you can see all the user's privileges from all admin roles they’re assigned to.
- To return to the user’s account page, at the top right, click the Up arrow
.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu
Account
Admin roles.
- Point to the role that you want to assign and on the right, click Assign admin.
Tip: You can switch between admins you’re assigning to the role and the privileges. At the top, click Admins or Privileges.
- Click Assign users.
- Enter the first few letters of the user's email address (not username) and select the user’s address from the options.
You can assign up to 20 users at time.
- Click Assign Role.
- (Optional) To restrict the admin's role to a specific organizational unit, next to All organizational units, click Edit
, select the organizational units, and click Done.
If you don’t see Edit
, the role cannot be applied to organizational units.
You can assign any prebuilt or custom role except Super Admin to a service account. Assigning a role to a service account counts toward your role assignment limit.
Before you begin: Set up a service account in Google Cloud. Go to Creating and managing service accounts.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu
Account
Admin roles.
- Point to the role that you want to assign
click Assign admin.
- Click Assign service accounts.
- Enter the email address of the service account.
To find the email address, open the Google Cloud console and click Menu
IAM & Admin
Service Accounts.
- Click Add
Assign role.
What happens next?
In the Admin audit log, you can see when an admin role was applied to a service account and a record of actions performed by service account admins. For details, go to Admin audit log.
If you applied the Groups Admin pre-built role to a service account, you can also see actions in the Enterprise groups audit log. The service account admin might be listed under Event Description or User. For details, go to Enterprise groups audit log.
Related topic
It can take up to 24 hours for new roles to take effect. After you assign a role, when the user next signs in, they arrive at the Admin console Home page.
Unassign roles
Expand section | Collapse all & go to top
You can’t unassign a role from yourself.
To unassign a role from a user, follow all of the steps above in Assign roles to one user. In step 6, instead of turning on the role, click Turn off .
Unassign a role from multiple users or a service account on the Admin roles page.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu
Account
Admin roles.
- Point to the role that you want to unassign and on the right, click Assign admin.
- Choose an option:
- Next to each user or service account you want, check the box.
- To unassign the role from all users and service accounts, next to the Admin column heading, check the box.
- Click Unassign role
Unassign Role to confirm.
Next steps
Administrators can add recovery options to their account.