Assign specific admin roles

If you don't want to give a user full access to the Google Admin console, you can let them perform only a subset of administrative tasks. Do this by assigning an admin role. You can assign more than one admin role to a user.

You can also assign an admin role to a service account, rather than a user. For example, you can use a service account admin to create and update groups and group memberships with applications outside of the Admin console using the Cloud Identity Groups API. 

How administrator roles work

In the Admin console, admins can only view information and perform tasks that their role's privileges allow. For example, if you assign the pre-built User Management Admin role to someone, they can only view and modify specific user settings for people who aren’t admins.

Before you begin

Step 1: Review any pre-built or custom roles already used

You must be signed in as a super administrator for this task.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Admin roles.
  3. Point to the role and then View privileges or View admins to see the admins assigned to the role.

Step 2: Decide on the type of role

Decide whether you want to:

Assign roles

You must be signed in as a super administrator for this task.

Assign roles to one user
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Users.
  3. Find the user in the list.

    For tips, go to Find a user account.

  4. Click the user’s name to open their account page.
  5. Scroll down and click Admin roles and privileges.
  6. Next to the pre-built or custom role, click Turn on "".

    If you don’t see Turn on "", click anywhere under Roles to reveal the switches.

  7. (Optional) For custom roles that include at least one user management privilege, you can restrict an admin's role to a specific organizational unit:
    1. Next to All organizational units, click Edit "".
    2. Select the organizational units that you want the administrator to manage.
    3. Click Done.
  8. Click Save.

Tips:

  • In the Privileges section, you can see all the user's privileges from all admin roles they’re assigned to.
  • To return to the user’s account page, at the top right, click the Up arrow "" .
Assign a role to several users at once
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Admin roles.
  3. Point to the role that you want to assign and on the right, click Assign admin.

    Tip: You can switch between admins you’re assigning to the role and the privileges. At the top, click Admins or Privileges.

    View privileges

  4. Click Assign users.
  5. Enter the first few letters of the user's email address (not username) and select the user’s address from the options.

    You can assign up to 20 users at time.

  6. Click Assign Role.
  7. (Optional) For custom roles that include at least one user management privilege, you can restrict an admin's role to a specific organizational unit:
    1. Next to All organizational units, click Edit "".
    2. Select the organizational units that you want the administrator to manage.
    3. Click Done.
Assign a role to a service account

Before you begin: Set up a service account in Google Cloud Platform (GCP). Go to Creating and managing service accounts.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Admin roles.
  3. Click the role that you want to assign.

    Note: Service accounts can’t be assigned to the Super Admin pre-built role.

  4. Click Assign roleand thenAssign service accounts. 
  5. Enter the email address of the service account.

    You can find the email address of the service account in GCP. Click IAM & Adminand thenService Accounts.

  6. Click Addand thenAssign role. 

What happens next? 

In the Admin audit log, you can see when an admin role was applied to a service account and a record of actions performed by service account admins. For details, go to Admin audit log

If you applied the Groups Admin pre-built role to a service account, you can also see actions in the Enterprise groups audit log. The service account admin might be listed under Event Description or User. For details, go to Enterprise groups audit log.

Related topic

It can take up to 24 hours for new roles to take effect. After you assign a role, when the user next signs in, they arrive at the Admin console Home page.

Next steps 

Administrators can add recovery options to their account.

Was this helpful?
How can we improve it?