If you don't want to give a user full access to the Google Admin console, you can let them perform only a subset of administrative tasks. Do this by assigning an admin role. You can assign more than one admin role to a user.
You can also assign an admin role to a service account, rather than a user. For example, you can use a service account admin to create and update groups and group memberships with applications outside of the Admin console using the Cloud Identity Groups API.
How administrator roles work
In the Admin console, admins can only view information and perform tasks that their role's privileges allow. For example, if you assign the pre-built User Management Admin role to someone, they can only view and modify specific user settings for people who aren’t admins.
Before you begin
Step 1: Review any pre-built or custom roles already used
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- From the Admin console Home page, go to Admin roles.
- Point to the role and then View privileges or View admins to see the admins assigned to the role.
Step 2: Decide on the type of role
- Assign a pre-built system role for performing common tasks. Review the Pre-built administrator roles.
- Create and assign a custom role that has different access levels. If so, you need to create the role first. Go to Create a custom role.
Assign roles
You must be signed in as a super administrator for this task.
Assign roles to one user-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- From the Admin console Home page, go to Users.
- Find the user in the list.
For tips, go to Find a user account.
- Click the user’s name to open their account page.
- Scroll down and click Admin roles and privileges.
- Next to the pre-built or custom role, click Turn on
.
If you don’t see Turn on
- (Optional) For custom roles that include at least one user management privilege, you can restrict an admin's role to a specific organizational unit:
- Next to All organizational units, click Edit
.
- Select the organizational units that you want the administrator to manage.
- Click Done.
- Next to All organizational units, click Edit
- Click Save.
Tips:
- In the Privileges section, you can see all the user's privileges from all admin roles they’re assigned to.
- To return to the user’s account page, at the top right, click the Up arrow
.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- From the Admin console Home page, go to Admin roles.
- Point to the role that you want to assign and on the right, click Assign admin.
Tip: You can switch between admins you’re assigning to the role and the privileges. At the top, click Admins or Privileges.
- Click Assign users.
- Enter the first few letters of the user's email address (not username) and select the user’s address from the options.
You can assign up to 20 users at time.
- Click Assign Role.
- (Optional) For custom roles that include at least one user management privilege, you can restrict an admin's role to a specific organizational unit:
- Next to All organizational units, click Edit
- Select the organizational units that you want the administrator to manage.
- Click Done.
- Next to All organizational units, click Edit
Before you begin: Set up a service account in Google Cloud Platform (GCP). Go to Creating and managing service accounts.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- From the Admin console Home page, go to Admin roles.
- Click the role that you want to assign.
Note: Service accounts can’t be assigned to the Super Admin pre-built role.
- Click Assign role
Assign service accounts.
- Enter the email address of the service account.
You can find the email address of the service account in GCP. Click IAM & Admin
- Click Add
What happens next?
In the Admin audit log, you can see when an admin role was applied to a service account and a record of actions performed by service account admins. For details, go to Admin audit log.
If you applied the Groups Admin pre-built role to a service account, you can also see actions in the Enterprise groups audit log. The service account admin might be listed under Event Description or User. For details, go to Enterprise groups audit log.
Related topic
It can take up to 24 hours for new roles to take effect. After you assign a role, when the user next signs in, they arrive at the Admin console Home page.
Next steps
Administrators can add recovery options to their account.