Inherited permissions

Direct vs Inherited Permissions

In Google Marketing Platform there are two types of permissions:

  • Direct permissions are assigned to users directly by product administrators.

    For example, an Analytics user who has the Manage Users permission can assign the Edit permission directly to other users.
  • Inherited permissions can be assigned via:
    • Another direct permission in the same product. For example, the Edit permission in Analytics includes the Collaborate and Read & Analyze permissions.
    • Membership in a user group. Any permissions assigned to the group are inherited by all group members. User groups also inherit permissions from the groups to which they belong.
    • Being an Org admin. When you link a product account to an organization, Org admins are automatically given some user-management permissions/capabilities for that product.

Effective permissions are the sum of direct permissions and inherited permissions a user has for all Google Marketing Platform products.

Ways to inherit permissions

From other product permissions

Google Analytics

In Analytics, you can assign permissions at the account, property, and view levels. Permissions assigned at the account level are inherited by the properties and views in that account. Permissions assigned at the property level are inherited by the views for that property.

For example, a user has the following direct permissions:

  • Account level: Manage Users
  • Property level: Read & Analyze

As a result, that user also has the following inherited permissions:

  • Property level: Manage Users (inherited from account level)
  • View level: Manage Users (inherited from account level), Read & Analyze (inherited from property level)

If you have only inherited permissions for an Analytics account, you do not have access to that account from Google Marketing Platform or from the account switcher in Analytics.

Google Marketing Platform uses this approach in order to initially limit the number of Analytics accounts that are visible to Org admins and User admins so that the only accounts visible are the ones in which they have a compelling interest. For example, in a large organization with hundreds of Analytics accounts, an Org admin might have a compelling interest in only a few of those accounts.

To grant access to those Analytics accounts via Google Marketing Platform and the account switcher in Analytics, you need to grant direct permissions via the controls in Administration:

  1. Click Administration > Organizations > organization > Products > Analytics > Analytics account > Account users > user name.
  2. Set the necessary Analytics permissions for the user at the account, property, and/or view level.

Learn more about permissions in Analytics

Google Tag Manager

In Tag Manager, you can assign permissions at the account and container levels.

Users who have Admin permission at the account level inherit Read permission for all containers in that account. (They can assign themselves additional permissions.)

Users who have User permission at the account level do not inherit any container permissions. Permissions must be assigned for each container.

Learn more about permissions in Tag Manager

Google Optimize

In Optimize, you can assign permissions at the account and container levels.

Users who have Admin permission at the account level inherit Create and View permissions for all containers in that account.

Users who have User permission at the account level do not inherit any container permissions. Permissions must be assigned for each container.

If you assign a user direct permission to a container, then that user inherits User permission at the account level.

If you create a container, you have all permissions for that container.

Learn more about permissions in Optimize

From user-group permissions

If your product account is linked to a Google Marketing Platform organization, then you can create user groups and assign them permissions. Direct and inherited permissions for groups work similarly to the way they work for users: a group has any permissions you assign to it directly, it inherits permissions from any group to which it belongs, and it inherits product permissions (e.g., if you assign it Edit permission for an Analytics account then it also has Edit permission for the properties and views in the account).

When you add a user to a group, that user inherits all of the group's permissions.

Learn more about user groups

By having organization roles

You can add users directly to Google Marketing Platform organization, and assign them user roles and add them to user groups.

In an organization:

  • The Org admin role has full permissions for the organization, including the User admin role.
  • The User admin role inherits user-management permissions/capabilities for the product accounts you link to the organization. User admins can assign themselves additional permissions in product accounts.

When you link your product to a Google Marketing Platform organization, product users inherit the organization role of User.

Google Analytics

When you link an Analytics account to an organization, Org admins and User admins inherit Manage Users permission for that account, and for all properties and views in the account.

Google Tag Manager

When you link a Tag Manager account to an organization, Org admins and User admins don't inherit specific permissions, but they can:

  • View users in the account and its containers
  • Remove users from the account and its containers

Google Optimize

When you link an Optimize account to an organization, Org admins and User admins don't inherit specific permissions, but they can:

  • View users in the account and its containers
  • Remove users from the account and its containers

How to remove a user with inherited permissions

In order to remove a user's access to a product account, you must remove both the user's direct and inherited permissions.

To remove direct permissions, go to the user's permissions page in the organization or product account and remove those direct permissions.

To remove permissions inherited from an account (like inherited permissions for an Analytics property or Optimize container), go to the user's permissions page and remove those direct permissions.

To remove permissions inherited from a group, you can either remove the user from the group, or remove the specific permissions from the group. You have to do this for each group that grants the user permissions.

To remove permissions inherited as an Org admin or User admin, go to the Organization administrators page in Google Marketing Platform Home and change the organization roles.

To determine which inherited permissions a user has, go to the user's permissions page to see how the permissions were inherited.

Was this helpful?
How can we improve it?