Ambassador privilege definitions

When you lot assign an admin role to a user in the Google Admin console, you lot grant them ambassador privileges and access to the Admin panel.

The part'south privileges determine the admin'southward controls in the Admin console, information they tin can access, and tasks they tin can perform. Admins can also perform respective actions in the Admin API.

Assign roles at present Create a custom role

Administrator privileges

* Note: Some privileges, such as Jamboard Management, are available but with sure editions of Google Workspace, hardware, or user licenses.

Admin settings privileges Services privileges
  • Admin API
  • Domain Settings
  • Groups
  • Organizational Units
  • Reports
  • Security
  • Back up
  • Users
  • Service Settings
  • Alert Center
  • App Maker
  • Calendar
  • Chrome Direction *
  • Classroom
  • Cloud Search *
  • Contacts
  • Currents
  • Data Loss Prevention (DLP) *
  • Information Security
  • Directory settings
  • Directory Sync
  • Drive and Docs
  • Gmail
  • Google Chat and classic Hangouts
  • Google Cloud Impress
  • Google Data Studio
  • Google Hangouts
  • Google Run across
  • Google Meet hardware *
  • Google Vault *
  • Google Voice
  • Groups for Business concern
  • Jamboard
  • Jamboard Direction *
  • Managed Google Play (also listed as "Google Managed Play")
  • Mobile Device Direction
  • Password Vault *
  • Pinpoint
  • Secure LDAP *
  • Security Center *
  • Shared device settings
  • Sites
  • Work Insights *
  • YouTube

Settings privileges

Expand section  |  Collapse all & go to top

Admin API

Granting privileges to an admin in the Admin console gives them corresponding rights in the API. For case, granting the privilege to create users in the Admin panel also lets admins create users using the API. Also, updating Admin API rights updates respective privileges in the Admin panel.

To grant privileges in the Admin console without allowing admins to perform actions in an API, turn off API access for your account. For details, go to Manage admission to Google services: Restricted or Unrestricted.

The Admin API privilege allows the Google Workspace Admin API to perform actions on:

  • Organizational Units
  • Users
  • Groups
  • User Security Management
  • Information Transfer—Super admins or services admins tin transfer ownership of users' Bulldoze files using the Admin console. Admins likewise demand the Drive Services privilege to access the Transfer ownership setting in the console. None of these actions can be limited to specific organizational units.
    Notation: Merely super admins tin can transfer file buying when deleting a user.
  • Schema Management—Super admins or services admins can create schemas to ascertain custom fields for their domain, such as user projects, locations, or rent dates.
    Annotation: To view schemas in the Admin console Users field, you lot must be assigned either Schema Management or Schema Read privileges.
  • License Management—Super admins tin assign and manage Google Workspace licenses for the arrangement, an organizational unit, a group of users, or an individual user. Annotation: This privilege works only in the Admin console and authorizes only super admins to utilize the License Manager API.
  • Billing Management
  • Domain Management—Admins tin can add or remove domains and set upwardly domain aliases.
  • Domain Allowlist Direction—Admins can create and manage the allowlist of trusted domains that can share files with your arrangement.
  • Domain Allowlist Read—Admins tin view the allowlist of trusted domains that tin can share files with your arrangement.
  • Add security label to a group—Admins can define groups that control access to sensitive information and resource. For details see Updating a Google Group to a security grouping.

If yous create a custom part, y'all can bank check the box next to the privilege to allow using the API to perform all actions on that object. Or, click individual actions (such every bit Create or Read) to let merely selected deportment.

Domain Settings

Admins with the Domains Settings privilege tin:

  • Alter the organization name, language, logo, and time zone.
  • Delete your Google Workspace or Cloud Identity Account.
  • View billing for your Google Workspace or Cloud Identity Account.
  • Add and remove domains and domain aliases.
  • Map a custom URL to a site in Google Sites.
  • Update contact information for password recovery.
  • Manage your characteristic release process.
  • Choose the types of email you get from Google. For details, run across Cull your Google Workspace notifications preferences.

These actions can't be limited to specific organizational units.

Groups

Admins with the Groups privilege accept full control over groups created in your Admin console. Likewise grants the corresponding Admin API privileges (above).

Administrators with this privilege can:

  • View user profiles and your organizational structure.
  • Create, manage, and delete groups in the Admin console.
  • Manage grouping admission settings.
  • Turn on services for admission groups (also requires privileges for Organizational Units and Services). For details, run into Customize service settings with configuration groups.

These actions tin't be limited to specific organizational units.

Tip: To let admins view the groups a user belongs to but not edit them, give them the Groups and then Read API privilege.

Organizational Units

Admins with this privilege can manage your account'due south organizational structure from the Users page in their Admin console. Also grants the corresponding Admin API privileges (above).

Organizational Units privileges:

  • Read
  • Create
  • Update
  • Delete

The Create, Update, or Delete privileges automatically grants the Read privilege.

Yous can permit admins to perform deportment on all users in your business relationship or only on users in specific organizational units. For details, go to Assign specific admin roles.

Reports

Admins take access to usage reports and audit logs. For details, become to Reporting overview.

Admins with the Reports privilege can:

  • View graphs showing service use.
  • Rails user activities such every bit document edits.
  • Rails changes made by other admins in the Admin console.

These deportment tin't exist limited to specific organizational units.

Security

User Security Management

Note: But super admins tin see another admin's security settings.

Admins tin manage security settings for individual users. They tin only manage users who don't have admin privileges. Also grants the corresponding Admin API privileges (above).

On a person's Users folio, admins with the User Security Management privilege tin:

  • Disable 2-Step Verification. Only super administrators can enforce 2-Step Verification for the entire organization.
  • Disable the sign-in challenge for 10 minutes.
  • Review and revoke security keys.
  • Review and revoke app passwords.
  • Reset sign-in cookies (not for reseller admins).
  • Review and revoke any 3-legged OAuth tokens the user granted to third-party apps.

All of these deportment can be limited to specific organizational units, except enforcing or disabling 2-Step Verification.

Security Settings

  • Allow less secure apps to access accounts
  • Monitor user passwords
  • Fix single sign-on (SSO) and authentication

Assuasive less secure apps to admission accounts is the merely action that can exist express to specific organizational units.

Support

Admins with the Back up privilege can use phone, chat, and electronic mail options to contact Google Workspace support. They tin can also file cases in the Google Customer Care Portal.

The ability to contact Google Workspace support can't be limited to specific organizational units.

Users

Admins with the Users privilege tin can perform deportment on users. Only super admins can alter some other admin's settings. Too grants the respective Admin API privileges (above).

  • Create
  • Read
  • Update
    • Move users
      Note: Simply super admins can employ the Transfer tool to transfer unmanaged user accounts to Google Workspace managed user accounts.
    • Append users
    • Rename users
    • Reset countersign
    • Force countersign change
    • Add together/remove aliases
  • Delete

The Create privilege automatically grants Read and Update privileges. Update or Delete privileges automatically grant Read privilege.

You tin let admins perform actions on all users in your account or only users in specific organizational units. For details, go to Brand a user an admin.

Tip: To let admins view a user's groups but not edit them, requite them the API privilege past clicking Groups and then Read API privilege.

Services privileges

Aggrandize department  |  Collapse all & get to top

Service Settings

The Service Settings privilege does not automatically grant privileges to some services and settings, for example, Google Vault or Data Security.

Admins with the Service Settings privilege can turn services on or off and change service settings. Applies to certain products you lot've added to your account (Google Workspace services, such as Agenda, and Drive), Marketplace apps, and Google services, such as YouTube and Blogger.

These deportment can't be express to specific organizational units.

Alarm Center

This privilege is automatically selected with the Service Settings privilege.

For description of privileges and recommendations for creating roles, become to Grant admission to the alert center.

App Maker

Calendar

This privilege is automatically selected with the Service Settings privilege.

Admins with the Agenda privilege can create, edit, and delete resources. They can't modify the sharing settings of Google Agenda resources.

Calendar management rights:

  • All Settings—Admins tin access and manage sharing settings, resources, the Room Insights Dashboard, and general settings.
  • Buildings and Resources—Admins can create, edit, and delete calendar resources and access the Room Insights Dashboard.
  • Room Insights—Admins tin view, set filters, and adapt the date range on the Room Insights Dashboard.
  • Manage—Allows the admin to create, edit, and delete Calendar resources, buildings, and resource features.

Note: Admins tin't limit these actions to specific organizational units.

Chrome Management

This privilege is non automatically selected with the Service Settings privilege.

Admins can manage your system's Chrome devices and policies, including:

  • User settings
  • Device settings
  • Chrome and Managed Google Play apps and extensions on Chrome devices

For more information, go to Delegate administrator roles in Chrome.

Classroom

This privilege is automatically selected with the Service Settings privilege.

Admins with the Classroom privilege can turn this service on or off for users. They tin also:

  • Set up teacher permissions and guardian admission.
  • Choose who can join classes and which ones they tin can join.
  • Command how users access their Classroom information.
  • Consign grades and assignments from Classroom to their school'southward information system.

Cloud Search

This privilege is automatically selected with the Service Settings privilege.

Admins with the Cloud Search privilege can:

  • Grant user access to Google Cloud Search.
  • Plow the service on or off.
  • View reports on how the organization uses Cloud Search, including the number of search queries from different types of devices and the number of agile users.
  • Manage settings for third-party repositories, such every bit settings for data sources, identity sources, and search applications. Admins besides have read or write access for indexing.

Learn nearly creating a Deject Search administrator role for a developer.

Contacts

This privilege is automatically selected with the Service Settings privilege.

Contact delegates are users that have permission to access and manage contacts for some other user. Admins with the Contacts privilege can view, create, or delete delegates for a given user using the Contact Delegation API:

  • Delegates Read - Admins can use the API to list delegates for a specific user. Equivalent to the OAuth telescopic https://www.googleapis.com/auth/admin.contact.delegation.readonly.
  • Delegates Write - Admins tin can apply the API to create or delete delegates for a specific user. Equivalent to the OAuth scope https://world wide web.googleapis.com/auth/admin.contact.delegation.

Currents

Only the Settings privilege is automatically selected with the Service Settings privilege.

Admins privileges for Currents

  • Settings—Manage settings for Currents
  • Batch-add user groups to communities—Admins can add users directly to Currents communities.
  • Access tools to manage streams, tags, and leaders—Moderate content on Currents. Acquire more

Data loss prevention (DLP)

Only theView DLP rule privilege is automatically selected with theService Settingsprivilege.

DLP privileges:

  • View DLP rule—Admins can view but not modify or create DLP rules.
  • Manage DLP rule—Admins can view, alter, and create DLP rules.

You must enable both of these privileges to have complete admission for creating and editing rules. We recommend you create a custom role that has both privileges.

Information Security

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can manage the organization's context-aware access policies. Admins can control the apps a user can access based on their context, such every bit their location or whether their device complies with your organization's policies.

Data Security management rights:

  • Access level management—Admins can create access levels.
  • Rule management—Admins tin plow on or off context-aware access and to assign admission levels to apps.

Directory settings

This privilege is automatically selected with the Service Settings privilege.

Admins tin manage settings and control Directory profile changes to let users make changes to their profile, including their name, photo, gender, and altogether

Directory Sync

This privilege is not automatically selected with the Service Settings privilege.

Directory Sync privileges:

  • Manage Directory Sync Settings—Add together, update, and manage Directory Sync settings.
  • Read Directory Sync Settings—View, but not alter, Directory Sync settings.

For more than data, go to Directory Sync.

Bulldoze & Docs

This privilege is automatically selected with the Service Settings privilege.

Google Drive and Docs direction rights:

  • Settings—Admins tin can manage all settings for your system'due south Drive and Docs services. You need this privilege and the Information Transfer privilege to transfer ownership of Drive files. For details, go to Transfer Drive files to a new owner.
  • Docs Templates—Admins tin can remove and categorize templates in the Docs, Sheets, Slides, and Forms template galleries and in the Bulldoze and Docs section of the Admin console. When template submission is set to Moderated in the Admin Console, admins can have or turn down template submissions. When submission is set to Restricted, admins can add together templates to the gallery. For details, become to Create custom Drive templates.
  • Move any file or binder into shared drives—Admins tin can move files and folders into shared drives in your organization. However, admins can't motility files and folders from one shared drive to another shared drive. Acquire more than about shared drives access levels
  • Manage Metadata Categories—Admins can create custom metadata categories for Drive files and folders. Drive metadata is currently in Beta, and the Help is non yet bachelor in all languages. For details, go to Manage Drive metadata (beta).
  • View details of new Google Sites—Admins can identify the owner of a site, see the date the site was last published, and request edit admission to the site.
  • Manage Classic Google Sites—Admins can apply the Classic Sites Manager to view, manage, and migrate all of your arrangement'due south Classic Google Sites. Learn more

Gmail

Only the Settings privilege is automatically selected with the Service Settings privilege.

Gmail management rights:

  • Settings—Manage all Gmail settings for your organization.
  • Email Log Search—Search the log, troubleshoot delivery, and investigate security issues associated with emails.
  • Access Admin Quarantine—Admission and manage emails in all quarantines, including the default quarantine.
  • Admission restricted quarantines—Access and manage emails just in quarantines associated with groups the admin belongs to.

Google Chat and classic Hangouts

This privilege is automatically selected with the Service Settings privilege.

Admins can read and modify settings for Google Chat, such as saving conversations and allowing conversations with people outside or your organisation

Google Cloud Impress

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege tin can prepare upwards and manage Google Cloud Print services for their system, including printing from:

  • Chrome devices and Chrome Browser on Windows, Mac, and Linux computers
  • The mobile version of Google Workspace services, such as Gmail
  • Third-party native mobile apps

For details, become to Impress from Chrome.

Google Data Studio

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege tin can manage Google Information Studio settings, including viewing, sharing, and customizing dashboards and reports. Acquire more about Data Studio.

Google Hangouts

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege tin:

  • Manage settings
  • Access the quality dashboard for Hangouts. For details, become to Track meeting quality and statistics.

Google See

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can:

  • Manage settings
  • Access the quality dashboard for Google Meet. For details, run into Track coming together quality and statistics.

Google Run into hardware

This privilege is not available unless your business relationship has at least one Google Meet hardware license or enrolled device.

Admins tin can create user roles and assign privileges to specific Google Meet hardware devices with or without Calendar privileges.

  • Users with the Google Meet hardware with Calendar privilege take full access to users' calendars. They tin can:
    • Read existing calendar events and write new events. (Previously-created events can't be edited.)
    • Manage permissions of all calendars (principal, secondary, and resources) in the arrangement.
    • Delete whatsoever calendars in the organization.

      After you lot assign this privilege to a user, it can accept up to 24 hours for the Calendar privileges to be available.

  • The Enroll Google Encounter hardware privilege works in conjunction with the Require enrollment privilege policy. When the policy is turned on, just users with this privilege can enroll new Run into hardware devices in your organization. For details, see Enroll a device.

Google Vault

This privilege is not automatically selected with the Service Settings privilege.

Admins can view all matters and manage matters, holds, searches, exports, retentivity policies, and audits. For details, go to Understand and grant Vault privileges.

Google Voice

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege tin:

  • Manage settings and provisioning in the Admin console
  • Add locations
  • Assign numbers to users
  • Port numbers
  • Change service addresses
  • Set up desk phones
  • Fix upwards ring groups
  • Fix an machine attendant

Groups for Business concern

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can read and change settings for Groups for Business, including:

  • Who can create groups.
  • Whether people outside your organization tin view, search for, and post to your groups.
  • Default values for who can view conversations in groups.

Jamboard

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can turn the Jamboard service on or off for your arrangement. If y'all have actual licensed Jamboards, y'all'll take admission to additional settings, including:

  • Whether jam owners can be assigned without email confirmation.
  • Screensaver message and timeout value for all Jamboards.

Note: To view and manage individual Jamboards, admins need the Jamboard Management privilege.

Jamboard Management

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can perform tasks such every bit view and edit Jamboard settings and fix devices.

Managed Google Play

This privilege is not automatically selected with the Service Settings privilege.

This privilege is also listed as "Google Managed Play". Admins with this privilege can:

  • Distribute Android apps internally to users.
  • Upload individual apps to the Google Play store.
  • Use Android app packages (APKs) hosted exterior of Google Play.

Mobile Device Direction

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege have full control over devices listed in your Admin panel, and can:

  • Manage device settings and policies.
  • Perform all direction operations, such every bit approve, block, delete, and wipe devices.
  • Publish and manage mobile apps.

Password Vault

Pinpoint

This privilege is automatically selected with the Service Settings privilege.

Admins with the Pinpoint privilege tin can turn this service on or off for users. They tin can likewise set whether users tin ​​copy files from Google Drive to Pinpoint.

Secure LDAP

This privilege is non automatically selected with the Service Settings privilege.

Admins with this privilege can manage the Secure LDAP service and add or delete LDAP clients. Acquire more

Important: The Secure LDAP service is available but for administrators with Super Admin privileges—therefore, Super Admins are unable to assign Secure LDAP privileges to delegated admins. When setting upward admin roles for your users, delight ignore this setting.

Security Centre

The privilegef ull administrative rights for Security Centre is automatically selected with the Service Settings privilege.

Admins with this privilege take admission to avant-garde security information and analytics and added visibility and command into security issues affecting their organization.

Super admins take automated admission to all security center features, including the security dashboard, the security health page, and the investigation tool. Yous can give admins access to a specific security center characteristic (for case, just the security dashboard) by granting them the administrative privileges needed to admission the characteristic.

Related topics

  • Admin privileges for the security center
  • Apply the security dashboard
  • Become started with the security health folio
  • Almost the security investigation tool

Shared device settings

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege tin can manage all common device configurations. They tin can ready Virtual Private Network (VPN), Wi-Fi, and Ethernet networks for mobile, Chrome, and Chromebox for meetings devices.

Sites

This privilege is automatically selected with the Service Settings privilege.

Admins can read and modify settings for Sites, such equally whether users tin can create and edit sites, and whether sites can exist shared outside your system.

Note: Check boosted privileges for Google Sites and Classic Google Sites in the Drive and Docs privilege.

Work Insights

This privilege is not automatically selected with the Service Settings privilege.

Admins tin can access data on the Work Insights dashboard. Data is bachelor merely for teams that accept Work Insights turned on.

You lot can let users view data for all available teams or only specific teams, including organizational units, authorized groups, or teams in a manager's reporting line.

Related topics

  • Control which data is available in Work Insights
  • Grant admission to Work Insights

YouTube

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can:

  • Restrict the YouTube videos that are viewable within your organisation.
  • Prepare different YouTube admission levels (strict, moderate, unrestricted) for dissimilar organizational units.

For details, see Manage your organization'due south YouTube settings.

Was this helpful?

How can nosotros improve it?