Assign specific admin roles

If you don't want to give a user full access to the Google Admin console, you can let them perform only a subset of administrative tasks. Do this by assigning an admin role. You can assign more than one admin role to a user.

You can also assign an admin role to a group or service account, rather than a user. For example, you can use a service account admin to create and update groups and group memberships with applications outside of the Admin console using the Cloud Identity Groups API. 

How administrator roles work

In the Admin console, admins can only view information and perform tasks that their role's privileges allow. For example, if you assign the prebuilt User Management Admin role to someone, they can only view and modify specific user settings for people who aren’t admins.

How role assignment limits work

You can set any role to apply across all of your organizational units. For these roles, you can make up to 1000 total assignments, regardless of the number of roles. For example, you could assign one role to 300 users and another role to 700 users.

You can apply some roles to organizational units instead. For these roles, you can make up to 1000 total assignments for each organizational unit, regardless of the number of roles. To see if you can apply a role to organizational units, go to the user's role assignment page and next to All organizational units, look for Edit . Examples include the User Management Admin prebuilt role or a custom role that has at least one User privilege. 

If you still need to assign more than 1000 roles, you can add multiple members to a group and assign a role to the group. A role assignment to a group counts as one assignment, regardless of the number of members.

Before you begin

Step 1: Review any prebuilt or custom roles already used

You must be signed in as a super administrator for this task.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Accountand thenAdmin roles.
  3. Point to the role and then View privileges or View admins to see the admins assigned to the role.

Step 2: Decide on the type of role

Decide whether you want to:

Assign roles

Expand section  |  Collapse all & go to top

You must be signed in as a super administrator for this task.

You can assign a role to users and groups at the same time by following either procedure for assigning a role to several users or to a group.

Assign roles to one user

To assign one user the Groups Reader or Groups Editor role with privileges limited to security or non-security groups, or to locked or unlocked groups, go to Assign a role to several users at once.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenUsers.
  3. Find the user in the list.

    For tips, go to Find a user account.

  4. Click the user’s name to open their account page.
  5. Scroll down and click Admin roles and privileges.
  6. Next to the prebuilt or custom role, click Turn on .

    If you don’t see Turn on , click anywhere under Roles to reveal the switches.

  7. (Optional) To restrict the admin's role to a specific organizational unit, next to All organizational units, click Edit , select the organizational units, and click Done.

    If you don’t see Edit , you cannot apply the role to organizational units.

  8. Click Save.

Tips:

  • In the Privileges section, you can see all the user's privileges from all admin roles they’re assigned to.
  • To return to the user’s account page, at the top right, click the Up arrow .
Assign a role to several users at once
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Accountand thenAdmin roles.
  3. Point to the role that you want to assign and on the right, click Assign admin.

    Tip: You can switch between admins you’re assigning to the role and the privileges. At the top, click Admins or Privileges.

  4. Click Assign members.
  5. (Optional) For the Groups Reader or Groups Editor role, you can give the admin privileges only to security or non-security groups, or only to locked or unlocked groups. To limit the privileges:
    1. Click Set conditions.
    2. Select an option to give the admin privileges only to:
      • Security groups—Select Label contains “Security.”
      • Non-security groups—Select Label doesn’t contain “Security.”
      • (Beta) Locked groups—Select Label contains “Locked.”
      • (Beta) Unlocked groups—Select Label doesn’t contain “Locked.”
    3. Click Save.
  6. Enter the first few letters of the user's email address (not username) and select the user’s address from the options.

    You can assign a role to up to 20 users and groups at a time.

  7. Click Assign Role.
  8. (Optional) To restrict the admin's role to a specific organizational unit, next to All organizational units, click Edit , select the organizational units, and click Done.

    If you don’t see Edit , you cannot apply the role to organizational units.

Assign a role to a group

Assigning roles to groups lets you give role privileges to a large number of users.

You manage groups with assigned roles in the same way as any other groups. For information, see Groups.

Limitations on group role assignment

  • You can assign any role except Super Admin or Reseller Admin.
  • The group must be a security group in your organization that isn’t also a dynamic group. To learn about security groups, go to Control access to sensitive data with security groups.
    To see if a group is a dynamic group, in the Admin console, click Groupsand thenthe group name. Go to Members and if you see Dynamic members or Edit membership query, the group is a dynamic group.
  • Assigning a role to a group counts as one assignment toward your role assignment limit.
  • You can make up to 250 role assignments to groups in total at the overall organization level and within each organizational unit.
  • To assign a role to many groups and stay under the limit, pick one group needing the role to be the parent group and add the other groups needing the role as members of the parent. Then, assign a role to the parent group. This assignment counts as one role assignment while allowing all of the child groups to receive the role. For details, see Add a group to another group.
  • In some cases, group members might not get all an assigned role’s privileges. For example, if you assign a group a role that includes the Manage Google Meet hardware and calendars privilege, group members might not get all functionality associated with that privilege. The members do get any other privileges included with the role.
  • If you assign a group the Reseller Admin role, group members get the role’s privileges in the reseller’s organization only. They don’t get privileges over any of the reseller’s customers.
  • We recommend restricting group membership to users in your organization. You can add users from outside your organization or consumer users, but they might not get the role privileges. For details, see Restrict group membership.
  • The standard group membership limits apply. For details, see Membership.

Assign a role

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Accountand thenAdmin roles.
  3. Point to the role that you want to assign and on the right, click Assign admin.

    Tip: You can switch between admins you’re assigning to the role and the privileges. At the top, click Admins or Privileges.

  4. Click Assign members.
  5. (Optional) For the Groups Reader or Groups Editor role, you can give the admin privileges only to security or non-security groups, or only to locked or unlocked groups. To limit the privileges:
    1. Click Set conditions.
    2. Select an option to give the admin privileges only to:
      • Security groups—Select Label contains “Security.”
      • Non-security groups—Select Label doesn’t contain “Security.”
      • (Beta) Locked groups —Select Label contains “Locked.”
      • (Beta) Unlocked groups—Select Label doesn’t contain “Locked.”
    3. Click Save.et
  6. Enter the first few letters of the group’s email address or name and select the address from the options.

    You can assign a role to up to 20 groups and users at a time.

  7. Click Assign Role.
  8. (Optional) To restrict the admin's role to a specific organizational unit, next to All organizational units, click Edit , select the organizational units, and click Done.

    If you don’t see Edit  , you cannot apply the role to organizational units.

Assign a role to a service account

You can assign any prebuilt or custom role except Super Admin to a service account. Assigning a role to a service account counts toward your role assignment limit.

Before you begin: Set up a service account in Google Cloud. Go to Creating and managing service accounts.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Accountand thenAdmin roles.
  3. Point to the role that you want to assignand thenclick Assign admin.
  4. Click Assign service accounts.
  5. (Optional) For the Groups Reader or Groups Editor role, you can give the admin privileges only to security or non-security groups, or only to locked or unlocked groups. To limit the privileges:
    1. Click Set conditions.
    2. Select an option to give the admin privileges only to:
      • Security groups—Select Label contains “Security.”
      • Non-security groups—Select Label doesn’t contain “Security.”
      • (Beta) Locked groups—Select Label contains “Locked.”
      • (Beta) Unlocked groups—Select Label doesn’t contain “Locked.”
    3. Click Save.
  6. Enter the email address of the service account.

    To find the email address, open the Google Cloud console and click Menu and thenIAM & Adminand thenService Accounts.

  7. Click Addand thenAssign role. 

What happens next? 

In the Admin audit log, you can see when an admin role was applied to a service account and a record of actions performed by service account admins. For details, go to Admin log events

If you applied the Groups Admin prebuilt role to a service account, you can also see actions in the Enterprise groups audit log. The service account admin might be listed under Event Description or User. For details, go to Group Enterprise log events.

Related topic

After you assign a role, when the user next signs in, they arrive at the Admin console Home page. Changes can take up to 24 hours but typically happen more quickly. Learn more

Unassign roles

Expand section  |  Collapse all & go to top

You can’t unassign a role from yourself.

Unassign a user’s role

To unassign a role from a user, follow all of the steps above in Assign roles to one user. In step 6, instead of turning on the role, click Turn off .

Unassign multiple roles or service account roles

Unassign a role from multiple users or a service account on the Admin roles page.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Accountand thenAdmin roles.
  3. Point to the role that you want to unassign and on the right, click Assign admin.
  4. Choose an option:
    • Next to each user or service account you want, check the box.
    • To unassign the role from all users and service accounts, next to the Admin column heading, check the box.
  5. Click Unassign roleand thenUnassign Role to confirm.

Next steps 

Administrators can add recovery options to their account.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
3325172239440155292
true
Search Help Center
true
true
true
false
false