Managing User Permissions in Google Admin Console

Managing user permissions in the Google Admin Console is essential for maintaining security and ensuring users have appropriate access to Google Workspace resources. By assigning admin roles, you can delegate specific administrative tasks without granting full Super Admin privileges, following the principle of least privilege.

This guide explains how to assign prebuilt and custom admin roles, manage user access to services, and implement best practices for permission management in Google Workspace.

Prerequisites

Before you begin, ensure you have:

• Super Admin access to your Google Workspace domain
• A Google Workspace Business or Enterprise plan (custom roles require specific plans)
• Understanding of your organization's structure and administrative needs
• List of users who need administrative privileges

Understanding Google Workspace Admin Roles

Role Types

1. Super Admin

• Highest level of access with full control over all features
• Can manage billing, add/remove other Super Admins, and access all data
• Automatically assigned to the person who registers the Google Workspace account
• Best Practice: Limit to 2-3 trusted individuals

2. Prebuilt Admin Roles Google Workspace includes several predefined roles for common tasks:

• User Management Admin: Create, update, and delete users
• Groups Admin: Manage Google Groups
• Help Desk Admin: Reset passwords and manage user sessions
• Services Admin: Configure Google Workspace services
• Storage Admin: Manage Google Drive storage and settings

3. Custom Admin Roles

• Create roles with specific privileges tailored to your organization
• Combine individual permissions to create specialized roles
• Limit: 750 custom roles per organization
• Limit: 1,000 role assignments per organizational unit

Step 1: Assign a Prebuilt Admin Role

Using the Google Admin Console

1. Log into the Admin Console

   • Go to admin.google.com
   • Sign in with your Super Admin account

2. Navigate to Admin Roles

   • In the left sidebar, click Directory > Users
   • Find and click the user you want to make an admin

3. Assign the Role

   • Click Admin roles and privileges
   • Toggle User is an admin to ON
   • Select a prebuilt role from the dropdown:
     • User Management Admin
     • Groups Admin
     • Help Desk Admin
     • Services Admin
     • Storage Admin
   • Click Save

4. Verify the Assignment

   • The user will receive an email notification about their new admin privileges
   • They can access the Admin Console at admin.google.com with their assigned permissions

Common Prebuilt Roles and Use Cases

Step 2: Create a Custom Admin Role

Custom roles allow you to create specialized admin permissions for unique organizational needs.

Creating a Custom Role

1. Access Admin Roles

   • In the Admin Console, click Account > Admin roles

2. Create New Role

   • Click Create new role
   • Name: Enter a descriptive name (e.g., "Department Manager" or "Marketing Admin")
   • Description: Add details about the role's purpose

3. Select Privileges

   • Browse the list of available privileges organized by category:
     • Users: Manage user accounts, passwords, profiles
     • Groups: Create and manage groups
     • Organizational Units: Manage OU structure
     • Services: Configure Gmail, Drive, Calendar, etc.
     • Reports: Access audit logs and usage reports
   • Check the boxes for privileges needed for this role

4. Review and Create

   • Click Continue to review your selections
   • Click Create to save the custom role

Example Custom Roles

Marketing Department Admin

• Privileges:
  • Create and manage [email protected] group
  • Access marketing organizational unit settings
  • View usage reports for marketing users
  • Manage Calendar resources (conference rooms)

Regional IT Support

• Privileges:
  • Reset user passwords
  • Unlock user accounts
  • View user profile information
  • Access email log search (for troubleshooting)
• Scope: Specific organizational unit (e.g., "North America Office")

Step 3: Assign Custom Roles to Users

1. Navigate to Admin Roles

   • Go to Account > Admin roles
   • Find your custom role in the list

2. Assign Admins

   • Click on the role name
   • Click Assign admins
   • Search for and select users to assign this role
   • Click Assign

3. Scope the Role (Optional)

   • By default, roles apply to the entire organization
   • To limit scope, select Apply this role to specific organizational units
   • Choose the organizational units where this admin has permissions
   • Click Save

Step 4: Manage Service-Level Access for Users

Admin roles control who can manage Google Workspace, but you also need to control which services users can access.

Enable or Disable Services for Users

1. Navigate to Apps

   • In the Admin Console, click Apps > Google Workspace

2. Select a Service

   • Click on a service (e.g., Gmail, Drive, Calendar)

3. Configure Service Status

   • Click Service status
   • Choose the organizational unit
   • Select:
     • ON for everyone - All users can access
     • OFF for everyone - No one can access
     • ON for some organizations - Specific OUs only

4. Save Changes

   • Click Save
   • Changes can take up to 24 hours to propagate

Example: Restrict YouTube Access

1. Go to Apps > Google Workspace > YouTube
2. Select the "Students" organizational unit
3. Set service status to OFF for everyone
4. Click Save

Step 5: Use Organizational Units for Granular Control

Organizational Units (OUs) let you group users and apply different settings, including admin permissions and service access.

Creating an Organizational Unit

1. Navigate to Organizational Units

   • Click Directory > Organizational units

2. Create New OU

   • Click the + button at the top
   • Name: Enter OU name (e.g., "Sales Team", "Contractors")
   • Description: Optional description
   • Click Create

3. Move Users into the OU

   • Go to Directory > Users
   • Select users to move
   • Click More > Change organizational unit
   • Select the destination OU
   • Click Continue > Change

Assign Different Settings to OUs

Once users are in OUs, you can:

• Apply different service access (e.g., disable Google Meet for "Interns" OU)
• Assign OU-specific admin roles
• Configure different security settings (e.g., 2FA requirements)

Best Practices for Managing User Permissions

✅ Follow the Principle of Least Privilege

• Grant users only the permissions they need to perform their job
• Avoid assigning Super Admin unless absolutely necessary

✅ Limit Super Admins to 2-3 Trusted Users

• Too many Super Admins increase security risk
• Use specialized admin roles instead

✅ Use Organizational Units Strategically

• Structure OUs by department, location, or job function
• Apply service restrictions and security policies consistently

✅ Regularly Audit Admin Role Assignments

• Review who has admin access quarterly
• Remove admin privileges from users who change roles or leave the organization

✅ Enable 2-Step Verification for All Admins

• Require 2FA for all users with admin privileges
• Go to Security > 2-Step Verification to enforce

✅ Use Custom Roles for Specific Tasks

• Create targeted roles like "Password Reset Admin" or "Calendar Admin"
• Reduce risk by limiting access to only necessary features

✅ Document Your Role Structure

• Maintain a record of who has what permissions
• Include justification for each role assignment

✅ Test Role Changes in a Staging OU

• Create a test organizational unit
• Verify permission changes don't break workflows before applying broadly

Troubleshooting

User can't access Admin Console after role assignment

• Wait for propagation: Role assignments can take up to 24 hours
• Verify the user signed out and back in: Permissions refresh on login
• Check the role's privileges: Ensure the role includes "Admin console privileges"
• Verify organizational unit scope: Role may be limited to specific OUs

Custom role missing expected privileges

• Review the role definition: Go to Account > Admin roles > Click role name
• Check for conflicting organizational unit settings
• Ensure the privilege exists in your Google Workspace edition (some require Enterprise)

User has too many permissions

• Review all assigned roles: A user can have multiple roles, granting cumulative permissions
• Check inherited permissions from organizational units
• Revoke unnecessary roles immediately

Changes not taking effect

• Google Workspace can take up to 24 hours to propagate changes
• Clear browser cache and sign out/in
• Use an incognito window to test without cached credentials

Security Recommendations

🔒 Enable Admin Activity Audit Logs

• Go to Reports > Audit and investigation > Admin audit log
• Monitor who makes admin role changes

🔒 Set Up Admin Alerts

• Go to Security > Alert center
• Enable alerts for:
  • Super Admin role granted
  • Admin role granted
  • Suspicious login activity for admins

🔒 Require Admin Account Recovery Options

• Ensure all admins have configured:
  • Recovery email address
  • Recovery phone number

🔒 Use Security Keys for Super Admins

• Go to Security > Authentication > 2-Step Verification
• Enforce hardware security keys (FIDO U2F) for Super Admin accounts

Next Steps

• Set up 2-Step Verification: Enable 2FA for all users
• Configure password policies: Set password requirements
• Review audit logs: Monitor admin activity
• Explore advanced security: Google Workspace security best practices

Related Resources

• Google Workspace Admin Roles Overview
• Create Custom Admin Roles
• Assign Admin Roles
• Organizational Units Best Practices