As your organization’s administrator, you can assign a user to a custom administrator role so they can perform management tasks for an organizational unit. For example, you might want to grant the Chrome Management privilege to a user so they can assign devices to users only in the Sales organizational unit.
Before you begin
You can assign only certain privileges to a custom role for an organizational unit. If you grant any other privileges to the custom role, you can’t limit the role for use with an organizational unit.
You can assign the following privileges:
- Organizational Units
- Users
- Mobile Device Management (beta)
- Chrome Management
- User Security Management
- Shared device settings
Note: This is available only if you select the Manage all common device configurations role. This isn't available if you select the Parent privilege for Managing all common device configurations role.
For details on each of the privileges, go to Administrator privilege definitions.
If you use the Google Vault archiving and eDiscovery service, your custom role can also grant any of these privileges:
- Manage Matters
- Manage Holds
- Manage Searches
- Manage Exports
For details on each of the privileges, go to Understand and grant Vault privileges.
Important: If you want to include any other privileges later, you first need to remove all users. If you add any other privileges, you can use the custom role for anyone in your organization, not just an organizational unit.
Create and assign the role
- Go to Create a custom role and follow the steps. Ensure that the role only includes privileges that apply to organizational units (see Before you begin).
- Click Assign role.
- Add a user that you want to assign to the role.
- Next to the user, click the organizational unit.
- Select the organizational unit and click Done.
- Click Assign Role.
