User roles and permissions

The roles and associated permissions you grant for organization users are relevant only to Google Marketing Platform. When you link product accounts to an organization, some organization users are automatically granted user-management permissions in those products as outlined in the sections below.

When you add users to your organization, they can have one or more of the following roles:

Org admin

An Org admin has all administrative permissions for the organization (including all permissions listed below for User admin, Billing admin, and User):

  • Manage users: add, edit, remove, assign roles (including designating other Org admins)
  • Link and unlink product accounts (linking requires that you are also an administrative user on the product account; for example, in Analytics you have the Manage Users and Edit permissions)
  • Change the service level from standard to 360 for objects in product accounts

Org admins can see which users have access to a product account, along with details about those users. User details include:

  • The Analytics accounts, properties, and views, the Google Tag Manager containers, and the Optimize containers to which the user has access
  • The last date on which the user interacted with Google Analytics report data.
  • Interactions include:
    • Viewing a report or dashboard
    • Accessing data via an API call, for example, in a Chrome extension or in the Analytics mobile app

Org admins can also view the Change History for an organization. Change History lets you keep track of:

  • When a change was made
  • Who made the change
  • What was changed

For example, you can easily see when someone linked a new account to your organization, added or removed users, changed the service level for an object, or changed the end date on an order.

Having a record of these changes eliminates confusion over something like an increase in billing--instead of wondering, you can search your change history to see that one of your administrators changed the service level for a property from standard to 360, or made changes to the billing parameters.

You can see changes for the last two years.

Permissions inherited for linked analytics products

Google Analytics

When you link an Analytics account to an organization, Org admins inherit Manage Users permission for that account, and for all properties and views in the account.

Google Tag Manager

When you link a Tag Manager account to an organization, Org admins don't inherit specific permissions, but they can:

  • View users in the account and its containers
  • Remove users from the account and its containers
Google Optimize

When you link an Optimize account to an organization, Org admins don't inherit specific permissions, but they can:

  • View users in the account and its containers
  • Remove users from the account and its containers

Choosing Org admins

For convenience, you should have at least two Org admins, but not many more.

Your primary consideration in choosing Org admins is how much you trust those people. As an Org admin, they will be able to grant permissions to themselves and others for the organization and for all of the product accounts linked to the organization.

When you link a product account to an organization, all Org admins are given the permissions described above for the product account. For example, when you link Google Analytics 360, then Org admins automatically have the Manage Users permission in Analytics. Those permissions for the Org admin role remain intact as long as the product account is linked to the organization.

A primary benefit of the Org admin role is to be able to recover lost access to a product account. For example, if you lose access to an Analytics 360 account because the only administrator left the company, then an Org admin can designate other users as Analytics 360 administrators.

To ensure that someone always has access to the organization, when you create an organization, designate at least two users, preferably three, as Org admins.

User admin

User admins can add and remove organization users and product-account users for linked product accounts, and set permissions for those users in the organization and in the linked product accounts. They cannot assign the Org admin role to users.

User admins are automatically assigned the Manage Users permission in Analytics when you link an account, and can thereby assign themselves other permissions in Analytics.

Permissions inherited for linked analytics products

Google Analytics

When you link an Analytics account to an organization, User admins inherit Manage Users permission for that account, and for all properties and views in the account.

Google Tag Manager

When you link a Tag Manager account to an organization, User admins don't inherit specific permissions, but they can:

  • View users in the account and its containers
  • Remove users from the account and its containers
Google Optimize

When you link an Optimize account to an organization, User admins don't inherit specific permissions, but they can:

  • View users in the account and its containers
  • Remove users from the account and its containers
Billing admin

Billing admins handle all billing-related functions, including issuing requests to link product accounts, setting the service level for product accounts, and viewing bills. Billing admins can also set the service level (from standard to 360) for objects in product accounts.

They cannot assign themselves permissions for the linked product accounts.

User

Users have access to Organization settings (Administration > organization > Organization settings) if they are administrative users for product accounts.

Users can link product accounts to the organization if they also have administrative permissions for the product accounts.

When you link a product account to an organization, any users who have access to that product account are automatically added to the organization with the default role of User.

Any organization user is able to create a new Analytics, Tag Manager, or Optimize account and link that new account to the organization during the creation process. Those new product accounts are subject to the original terms of service that you agreed to for the original account.

Google representative

Internal Google users are assigned this role when they are added to client organizations. You cannot assign this role, but may see it listed for users under Admin Roles in the user-details pane.

Sales Partner

Sales Partners who are Org admins or Billing admins for an organization are automatically assigned the Sales Partner role for any client organizations added as children. You cannot assign this role, but may see it listed for users under Admin Roles in the user-details pane.

Based on the roles you assign, users can perform different tasks related to the organization.

Tasks per user role
  Org admin Billing admin User admin User Google representative Sales Partner
Product access / Task  
Organization settings Y Y Y N Y Y
Link Google+ page to organization Y Y N N Y Y
Change organization name Contact your Google representative.
Link existing product accounts to organization (requires administrative access to product account) Y Y Y Y Y Y
Link new product accounts to organization during account creation (within Analytics, Tag Manager, or Optimize interface) Y Y Y Y Y Y
Upgrade service level to 360 Y Y N N Y Y
Downgrade service level to standard Contact your Google Marketing Platform Account Manager.
Add/remove organization and product-account users, set permissions Y N Y N Y Y*
Assign the Org admin role to other users Y N N N N N
Assign organization admin roles Y N Y N Y Y*
Modify billing Y Y N N N N
View change history Y Y N N N N

* Sales Partners are able to carry out these tasks only until an Org admin is assigned to the organization.

Inherited vs. direct Analytics permissions

Inherited permissions are Analytics permissions that are inherited by organization users, for example, when an Analytics account is linked to an organization.

Direct permissions are Analytics permissions that are explicitly granted via the controls in Administration.

When you link an Analytics account to an organization, Org admins and User admins in that organization inherit the Manage Users permission for that Analytics account. Note that even though the switch for the permission is turned off, there is still a checkmark present to indicate that the user has the permission.

To see this information for a user, click Administration > Organizations > organization > Users > user name > Analytics > Analytics account permissions (last column).

If you have only inherited permissions for an Analytics account, you do not have access to that account from Google Marketing Platform or from the universal picker in Analytics.

Google Marketing Platform uses this approach in order to initially limit the number of Analytics accounts that are visible to Org admins and User admins so that the only accounts visible are the ones in which they have a compelling interest. For example, in a large organization with hundreds of Analytics accounts, an Org admin might have a compelling interest in only a few of those accounts.

To grant access to those Analytics accounts via Google Marketing Platform and the universal picker in Analytics, you need to grant direct permissions via the controls in Administration:

  1. Click Administration > Organizations > organization > Products > Analytics > Analytics account > Account users > user name.
  2. Set the necessary Analytics permissions for the user at the account, property, and/or view level.
Was this helpful?
How can we improve it?