Administrator privilege definitions (original) (raw)

Skip to main content

• User management

  • Overview
  • Guides

• Documentation

• Community

• Support

• Add & manage users

• Options for adding users

• Add an account for a new user

• Add or update multiple users from a CSV file

• Use a third-party tool for quick mass provisioning

• Name guidelines for users and groups

• Avoid sharing an account among users

• Request additional Education licenses

• Delete or remove a user from your organization

• Suspend a user temporarily

• Restore a suspended user

• Restore a recently deleted user

• Archive former employee accounts

• Archive a single-user subscription

• Maintain data security after an employee leaves

• Choose a language for new users

• Change the default time zone for new users

• Impact on Google apps when changing a user's email address

• Let users buy add-ons

• Manage individual Google Cloud accounts

• Investigate user problems with log events

• Advanced user management

• User profiles & Directory

• Overview: Set up and manage the Directory

• Turn Directory on or off

• Control who users can find in the Directory

• Customize a directory for a team or group

• Hide a user from the Directory

• Hide Groups or domain shared contacts

• Add information to a user's Directory profile

• Add or change a user's profile photo

• Change a user's profile name

• Allow Directory users to change their profile and photo

• Create custom attributes for user profiles

• Troubleshoot custom user attribute errors

• Add advanced contact information

• Add shared external contacts to the Directory

• Bulk update user profiles with LDAP directory or API

• Let third-party apps access Directory data

• Email addresses & aliases

• Overview: Add additional email addresses for users

• Add or delete an alternate email address (email alias)

• Delegate a user's email address

• Set which email addresses show in the Directory

• Overview: Changing a Directory user's name or email address

• Administrator roles & privileges

• About administrator roles

• Prebuilt administrator roles

• Administrator privilege definitions

• Assign specific admin roles

• Make a user an admin

• Create, edit, and delete custom admin roles

• Create an admin role for an organizational unit

• Remove Google Workspace administrator privileges

• Delete an administrator account

• View role assignments and privileges

• Security best practices for administrator accounts

• Set admin privileges to protect user privacy

• Designate users with analytics data access

• Designate users with temporary class access

• Passwords & account recovery

• Enforce and monitor password requirements for users

• Allow users to skip passwords at sign-in

• Prevent phishing attacks on your users

• Phishing prevention with Password Alert FAQ

• Set up password recovery for users

• Add recovery information for admins and users

• Allow super administrators to recover their password

• Allow users to add password recovery details

• Recovering administrator access to your account

• Account recovery information for Support

• Reset a user's password

• Restore a suspended Gmail account

• Unmanaged users

• Find and add unmanaged users

• Prevent creation of unmanaged user accounts

• Before using the transfer tool

• Use the transfer tool to migrate unmanaged users

• Use CSV to migrate unmanaged users

• Sync users with an external directory

• Sync data with your LDAP server

• Directory Sync

  • Get started with Directory Sync
  • Compare Directory Sync with GCDS
  • System requirements
  • Supported network connections
  • Set up a VPC access connector
  • Enable the Data Connectors API
  • Add, edit, or remove an external directory
  • Set up user sync
  • Set up group sync
  • Run a sync
  • Replace the domain name for synced users
  • Update user or group settings
  • Check log events for Directory Sync
  • Troubleshoot Directory Sync
  • Directory Sync FAQ

• Google Cloud Directory Sync (GCDS)

  • About Google Cloud Directory Sync
  • GCDS best practices
  • What is synced?
  • System requirements
  • 1. Download and install GCDS
  • 2. Prepare your LDAP directory
  • 3. Organize LDAP data
  • 4. Authorize your Google Account
  • 5. Allow access to URLs and ports
  • What is Configuration Manager?
  • Set up your sync with Configuration Manager
  • Learn more about Configuration Manager options
  • Work with configuration files
  • Use LDAP search rules to synchronize data
  • Omit data with exclusion rules and queries
  • Use limits with GCDS
  • Maintain different user attributes during a sync
  • GCDS synchronization options
  • Perform a manual synchronization
  • Synchronize using the command line
  • Schedule automatic synchronizations
  • Manage and assign licenses
  • Archive or unarchive users
  • Sync groups and users to a Cloud Search identity source
  • Manage conflicting accounts with GCDS
  • Troubleshoot certificate-related problems
  • GCDS error messages
  • Troubleshoot common GCDS issues
  • GCDS FAQ
  • What GCDS information do I need before contacting support?
  • Update GCDS
  • GCDS reports and notifications
  • Google Cloud Directory Sync release notes

• Sync user passwords with Microsoft Active Directory

• About Password Sync

• How does Password Sync work?

• 1. Get ready to use Password Sync

• 2. Choose your authentication method

• 3. Create a service account

• 4. Download and install

• 5. Configure Password Sync

• 6. Set up user authentication

• 7. Have users change their AD passwords

• Install and configure Password Sync from the command line

• Change a Password Sync configuration from the command line

• How to exclude some users from Password Sync

• Troubleshoot Password Sync

• Use logs to troubleshoot

• Authentication errors in Password Sync logs

• Password Sync error codes and messages

• Some user passwords aren't syncing

• Upgrade Password Sync

• Password Sync release notes

Administrator privilege definitions

When you assign an admin role to a user in the Google Admin console, you grant them administrator privileges and access to the Admin console.

The role's privileges determine the admin's controls in the Admin console, information they can access, and tasks they can perform. Admins can also perform corresponding actions in the Admin API.

Assign roles now Create a custom role

Administrator privileges

Notes

• * Some privileges are available only with certain editions of Google Workspace, hardware, or user licenses.
• All administrative privileges are now found in the Admin privilegessection. This includes privileges previously listed in the Admin console privileges and Admin API sections. This change doesn't affect how privileges are assigned, and existing privileges continue to work as they did before.
• If you create a custom role, check the box next to the privilege to allow using the API to perform all actions on that object. Or, click individual actions (such as Create or Read) to allow only those selected actions.

Admin settings privileges

Billing Management

Admins with this privilege can perform billing tasks, such as setting up a billing account or changing a payment method. This privilege works only in the Admin console.

Data Transfer

Super admins or Services admins with this privilege can transfer ownership of users' Google Drive files using the Admin console. Admins also need the Drive Services privilege to access the Transfer ownership setting in the Admin console. This privilege's actions can't be limited to specific organizational units.

Domains

Domain Settings

Admins with the Domain Settings privilege can:

• Change the organization name, language, logo, and time zone.
• Delete your Google Workspace or Cloud Identity Account.
• View billing for your Google Workspace or Cloud Identity Account.
• Add and remove domains and domain aliases.
• Map a custom URL to a site in Google Sites.
• Manage your feature release process.
• Choose the types of email you get from Google. For details, see Choose your Google Workspace notifications preferences.

These actions can't be limited to specific organizational units.

Domain Management

Admins with this privilege can add or remove domains and set up domain aliases.

Domain Allowlist Management

Admins with this privilege and the Domain Management privilege can view and manage the allowlist of trusted domains that can share files with your organization.

Domain Allowlist Read

Admins with this privilege and the Domain Management privilege can view and manage the allowlist of trusted domains that can share files with your organization.

Groups

Groups

Admins with the Groups privilege have full control over groups created in your Admin console.

Administrators with this privilege can:

• View user profiles and your organizational structure.
• Create, manage, and delete groups in the Admin console.
• Manage group access settings.
• Turn on services for access groups (also requires privileges for Organizational Units and Services). For details, see Customize service settings with configuration groups.

These actions can't be limited to specific organizational units.

Tip: To let admins view the groups a user belongs to but not edit them, give them the Groups Read API privilege.

Manage locked label on groups resources

Admins with this privilege can lock and unlock groups. Super admins and Groups admins have this privilege by default.

Add a security label to a group

Admins with this privilege can define groups that control access to sensitive information and resources. For details, go to Updating a Google Group to a security group.

This privilege grants permissions to perform these actions with the Directory API and Groups Settings API.

License Management

Super admins and admins with this privilege can assign and manage Google Workspace licenses for the organization, an organizational unit, a group of users, or an individual user.

Organizational Units

Admins with this privilege can manage your account's organizational structure from the Users page in their Admin console.

Organizational Units privileges:

• Read
• Create
• Update
• Delete

The Create, Update, or Delete privileges automatically grants the Read privilege.

You can allow admins to perform actions on all users in your account or only on users in specific organizational units. For details, go to Assign specific admin roles.

This privilege grants permissions to perform these actions with the Directory API.

Reports

Admins have access to usage reports and audit logs. For details, go to Reporting overview.

Admins with the Reports privilege can:

• View graphs showing service use.
• Track user activities such as document edits.
• Track changes made by other admins in the Admin console.

These actions can't be limited to specific organizational units.

Admins can review graphs showing service use, track user activities (such as document edits), and track other admins' changes in the Admin console.

Schema Management

Super admins or services admins with this privilege can create schemas to define custom fields for their domain, such as user projects, locations, or hire dates.

Security

User Security Management

Note: Only super admins can see another admin's security settings.

Admins can manage security settings for individual users. They can only manage users who don't have admin privileges.

On a person's Users page, admins with the User Security Management privilege can:

• Disable 2-Step Verification. Only super administrators can enforce 2-Step Verification for the entire organization.
• Disable the sign-in challenge for 10 minutes. Only super administrators can disable the sign-in challenge.
• Review and revoke security keys.
• Review and revoke app passwords.
• Reset sign-in cookies (not for reseller admins).
• Review and revoke any 3-legged OAuth tokens the user granted to third-party apps.

All of these actions can be limited to specific organizational units, except enforcing or disabling 2-Step Verification.

This privilege grants permissions to perform these actions with the Directory API and Admin Settings API.

Security Settings

• Allow less secure apps to access accounts
• Monitor user passwords
• Set up single sign-on (SSO) and authentication

Admins can allow less secure apps to access accounts, monitor user passwords, and set up single sign-on (SSO) and authentication. Allowing less secure apps to access accounts is the only action that can be limited to specific organizational units.

Reseller admins

Only super admins can generate backup verification codes for other admins. This means that admins, including Reseller admins, can only view and create backup verification codes for their users, not other admins or super admins. If you want to allow admins to generate and view backup verification codes for users, admins, and super admins, you must grant them super admin privileges.

Support

Admins with the Support privilege can use phone, chat, and email options to contact Google Workspace support. They can also file cases in the Google Cloud Support Portal.

The ability to contact Google Workspace support can't be limited to specific organizational units.

Users

Admins with the Users privilege can perform actions on users. Only super admins can change another admin's settings.

• Create
• Read
• Update — Grants the ability to change user accounts, including archiving, unarchiving, and granting the ability to restore data. It also includes the following permissions that can be individually delegated.
  • Move users
    Note: Only super admins can use the Transfer tool to transfer unmanaged user accounts to Google Workspace managed user accounts.
  • Suspend users
  • Rename users
  • Reset password
  • Force password change
  • Add/remove aliases
• Delete

The Create privilege automatically grants Read and Update privileges. Update or Delete privileges automatically grant Read privilege.

This privilege grants API permissions you can use to perform these operations with the Directory API.

You can let admins perform actions on all users in your account or only users in specific organizational units. For details, go to Make a user an admin.

Tip: To let admins view a user's groups but not edit them, give them the API privilege by clicking Groups Read API privilege.

Services privileges

Service Settings

The Service Settings privilege does not automatically grant privileges to some services and settings, for example, data regions, Data Security, Google Vault, and Security Center.

Admins with the Service Settings privilege can turn services on or off and change service settings. Applies to certain products you've added to your account (Google Workspace services, such as Calendar, and Drive), Marketplace apps, and free Google services, such as YouTube and Blogger.

Alert Center

This privilege is automatically selected with the Service Settings privilege.

For description of privileges and recommendations for creating roles, go to Grant access to the alert center.

AppSheet

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can manage Google AppSheet settings, including governance policies and team management. For more information, go to Assign AppSheet admin privileges to Workspace admins.

Calendar

This privilege is automatically selected with the Service Settings privilege.

Admins with the Calendar privilege can create, edit, and delete resources, but they can't limit the actions to specific organizational units. They also can't modify the sharing settings of Google Calendar resources.

Calendar management rights:

• All Settings—Admins can access and manage sharing settings, resources, the Room Insights Dashboard, and general settings.
  • Buildings and Resources—Admins can create, edit, and delete calendar resources and access the Room Insights Dashboard.
  • Manage Resources—Admins can create, edit, and delete Calendar resources, buildings, and resource features.
  • View Resources—Admins can view resources but not edit them.
  • Room Insights—Admins can view and set filters, and adjust the date range on the Room Insights Dashboard.
  • View Settings—Admins can only view the calendar settings, but cannot edit them.
• **Manage Calendars***—Admins can access, edit, and manage all user and resource calendars.

* If you assign this privilege through a group role assignment, group members will not get all functionality associated with the privilege.

Chrome Management

This privilege is not automatically selected with the Service Settings privilege.

Admins can manage your organization's Chrome devices and policies, including:

• User settings
• Device settings
• Chrome and Managed Google Play apps and extensions on Chrome devices

For more information, go to Delegate administrator roles in Chrome.

Classroom

This privilege is automatically selected with the Service Settings privilege.

Admins with the Classroom privilege can turn this service on or off for users. They can also:

• Set teacher permissions and guardian access.
• Choose who can join classes and which ones they can join.
• Control how users access their Classroom data.
• Export grades and assignments from Classroom to their school's information system.

These privileges are not automatically selected with the Service Settings privilege.

Manage Classes—Super admins can designate users with temporary class access. They can limit class access to specific organizational units.

View analytics data for users and their classes—Super admins can designate users with access to organization-level Classroom analytics. They can limit access to specific organizational units.

Cloud Search

This privilege is automatically selected with the Service Settings privilege.

Admins with the Cloud Search privilege can:

• Grant user access to Google Cloud Search.
• Turn the service on or off.
• View reports on how the organization uses Cloud Search, including the number of search queries from different types of devices and the number of active users.
• Manage settings for third-party repositories, such as settings for data sources, identity sources, and search applications. Admins also have read or write access for indexing.

Learn about creating a Cloud Search administrator role for a developer.

Contacts

This privilege is automatically selected with the Service Settings privilege.

Contact delegates are users that have permission to access and manage contacts for another user. Admins with the Contacts privilege can view, create, or delete delegates for a given user using the Contact Delegation API:

• Delegates Read - Admins can use the API to list delegates for a specific user. Equivalent to the OAuth scope https://www.googleapis.com/auth/admin.contact.delegation.readonly.
• Delegates Write - Admins can use the API to create or delete delegates for a specific user. Equivalent to the OAuth scope https://www.googleapis.com/auth/admin.contact.delegation.

Data classification

This privilege is not automatically selected with the Service Settings privilege.

Admins with the Manage Classification Labels privilege can create labels for Drive files and Gmail messages, and view all labels. They can also see if a label is used by Google Vault retention rule, a data classification rule, or a data loss prevention (DLP) rule. However, they can't see the retention or DLP rule unless they also have those privileges. For details, go to Get started as a classification labels admin.

Data loss prevention (DLP)

Only the View DLP rule privilege is automatically selected with the Service Settings privilege.

DLP privileges:

• View DLP rule—Admins can view but not modify or create DLP rules.
• Manage DLP rule—Admins can view, modify, and create DLP rules.

You must enable both of these privileges to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges.

Data regions

This privilege is not automatically selected with the Service Settings privilege.

Data regions privileges:

• Data Regions Settings—Admins can choose to store data covered by a data region policy in a specific geographic location by using a data region policy. For details, go to Data regions: Choose a geographic location for your data.
• Data Regions Reporting—Admins can see the progress as data moves from one region to another. For details, go to View data regions move progress.

Data Security

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can manage the organization's context-aware access policies. Admins can control the apps a user can access based on their context, such as their location or whether their device complies with your organization's policies.

Data Security management rights:

• Access level management—Admins can create access levels.
• Rule management—Admins can turn on or off context-aware access and to assign access levels to apps.

Directory settings

This privilege is automatically selected with the Service Settings privilege.

Admins can manage settings and control Directory profile changes to let users make changes to their profile, including their name, photo, gender, and birthday

Directory Sync

This privilege is not automatically selected with the Service Settings privilege.

Directory Sync privileges:

• Manage Directory Sync Settings—Add, update, and manage Directory Sync settings.
• Read Directory Sync Settings—View, but not alter, Directory Sync settings.

For more information, go to Directory Sync.

Drive & Docs

This privilege is automatically selected with the Service Settings privilege.

Google Drive and Docs management rights:

• Settings—Admins can manage all settings for your organization's Drive and Docs services. You need this privilege, the Data Transfer privilege, and the User: Read only privilege to transfer ownership of Drive files. For details, go to Transfer Drive files to a new owner.
• Docs Templates—Admins can remove and categorize templates in the Docs, Sheets, Slides, and Forms template galleries and in the Drive and Docs section of the Admin console. When template submission is set to Moderated in the Admin Console, admins can accept or reject template submissions. When submission is set to Restricted, admins can add templates to the gallery. For details, go to Create custom Drive templates.
• Move any file or folder into shared drives—Admins can move files and folders into shared drives in your organization. However, admins can't move files and folders from one shared drive to another shared drive. Learn more about shared drives access levels
• Manage labels—Deprecated and replaced with the Manage Classification Labels privilege.
• View details of Google Sites—Admins can identify the owner of a site, see the date the site was last published, and request edit access to the site.

Gemini

This privilege is automatically selected with the Service Settings privilege.

As an admin, you can control who uses the Gemini app in your organization. Admins with this privilege can also turn the Gemini app on or off.

Gmail

Only the Settings privilege is automatically selected with the Service Settings privilege.

Gmail management rights:

• Settings—Manage all Gmail settings for your organization.
• Email Log Search—Search the log, troubleshoot delivery, and investigate security issues associated with emails.
• Access Admin Quarantine—Access and manage emails in all quarantines, including the default quarantine.
• Access restricted quarantines—Access and manage emails only in quarantines associated with groups the admin belongs to.

Google Chat

Only the Settings privilege is automatically selected with the Service Settings privilege.

Chat management rights:

• Settings—Read and modify settings for Google Chat, such as saving conversations and allowing conversations with people outside of your organization.
• Manage Chat and Spaces conversation—Manage spaces and space members.
• Moderate Chat content report—Review and take actions Chat reports.

Google Cloud Print

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can set up and manage Google Cloud Print services for their organization, including printing from:

• Chrome devices and Chrome Browser on Windows, Mac, and Linux computers
• The mobile version of Google Workspace services, such as Gmail
• Third-party native mobile apps

For details, go to Print from Chrome.

Google Meet

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can:

• Manage settings
• Access the quality dashboard for Google Meet. For details, see Track meeting quality and statistics.

Google Meet hardware

This privilege is not available unless your account has at least one Google Meet hardware license or enrolled device.

Admins can create user roles and assign privileges to allow viewing and managing Google Meet hardware devices with varying levels of access to data and functionality. Granting access to a parent privilege will also grant access to any nested child privileges underneath it in the tree.

Privilege hierarchy

• Manage Google Meet hardware and calendars
  • Manage Google Meet hardware
    * Manage devices
    * View devices
    * Manage organizational unit settings
    * View organizational unit settings
    * Perform actions
    * Perform device commands
    * Manage device meetings
    * Deprovision Google Meet hardware
  • Manage calendar assignment
• Enroll Google Meet hardware

Detailed descriptions

• Manage Google Meet hardware and calendars—Admins have full access to all available Meet hardware device data and functionality, except for Enroll Google Meet hardware.
  Limitation: When assigning this permission through a group role assignment, in some cases, group members might not get all the assigned role's privileges. For details, go to Assign a role to a group.
• Manage Google Meet hardware—Admins have access to all available Meet hardware device data and functionality, except for Enroll Google Meet hardware and Manage calendar assignment.
• Manage devices—Admins can modify all individual device settings other than calendar assignment; also grants View devices privilege.
• View devices—Admins get read-only access to device data, including issue history and fleet data export functionality; required to be able to access pages hosting functionality in many other privileges (including Manage calendar assignment, Perform actions and its child privileges, and Deprovision Google Meet hardware).
• Manage organizational unit settings—Admins can edit Google Meet hardware settings controlled at the organizational unit-level and move devices between organizational units.
• View organizational unit settings—Admins can view Google Meet hardware settings controlled at the organizational unit-level.
• Perform actions—Admins can take any of the actions in the two child privileges: Manage device meetings and Perform device commands.
• Manage device meetings—Admins can connect to a meeting remotely and mute or hang up an active call.
• Perform device commands—Admins can reboot a device or trigger a diagnostics test.
• Deprovision Google Meet hardware—Admins can unenroll a device, causing its data to be deleted and its license to be reclaimed.
• Manage calendar assignment—Admins can assign a personal or room calendar to a device.
• Enroll Google Meet hardware—Works in conjunction with the Require enrollment privilege policy. When the policy is turned on, only users with this privilege can enroll new Meet hardware devices in your organization. For details, see Enroll your device.

Note: Admins can't limit these privileges to devices in specific organizational units at this time.

Google Vault

This privilege is not automatically selected with the Service Settings privilege.

Admins can view all matters and manage matters, holds, searches, exports, retention policies, and audits. For details, go to Understand and grant Vault privileges.

Google Workspace Marketplace

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can control which third-party or internal apps users can install from the Marketplace, with the following options:

• Allow users to install and run any app from the Marketplace
• Allow users to install and run only selected apps from the Marketplace
• Don't allow users to install and run apps from the Marketplace
  For details on user access to Marketplace apps, see Manage Marketplace apps on your allowlist.

Groups for Business

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can read and modify settings for Groups for Business, including:

• Who can create groups.
• Whether people outside your organization can view, search for, and post to your groups.
• Default values for who can view conversations in groups.

Data Studio

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can manage Data Studio settings, including viewing, sharing, and customizing dashboards and reports. Learn more about Data Studio.

Managed Google Play

This privilege is not automatically selected with the Service Settings privilege.

This privilege is also listed as "Google Managed Play". Admins with this privilege can:

• Distribute Android apps internally to users.
• Upload private apps to the Google Play store.
• Use Android app packages (APKs) hosted outside of Google Play.

Mobile Device Management

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege have full control over devices listed in your Admin console, and can:

• Manage device settings and policies.
• Perform all management operations, such as approve, block, delete, and wipe devices.
• Publish and manage mobile apps.

Pinpoint

This privilege is automatically selected with the Service Settings privilege.

Admins with the Pinpoint privilege can turn this service on or off for users. They can also set whether users can ​​copy files from Google Drive to Pinpoint.

Secure LDAP

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can manage the Secure LDAP service and add or delete LDAP clients. Learn more

Important: The Secure LDAP service is available only for administrators with Super Admin privileges—therefore, Super Admins are unable to assign Secure LDAP privileges to delegated admins. When setting up admin roles for your users, please ignore this setting.

Security Center

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege have access to advanced security information and analytics and added visibility and control into security issues affecting their organization.

Super admins have automatic access to all security center features, including the security dashboard, the security health page, and the investigation tool. You can give admins access to a specific security center feature (for example, just the security dashboard) by granting them the administrative privileges needed to access the feature.

Related topics

• Admin privileges for the security center
• Use the security dashboard
• Get started with the security health page
• About the security investigation tool

Shared device settings

This privilege is not automatically selected with the Service Settings privilege.

Admins with this privilege can manage all common device configurations. They can set up Virtual Private Network (VPN), Wi-Fi, and Ethernet networks for mobile, Chrome, and Chromebox for meetings devices.

Sites

This privilege is automatically selected with the Service Settings privilege.

Admins can read and modify settings for Sites, such as whether users can create and edit sites, and whether sites can be shared outside your organization.

Storage

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can open the Storage page in the Admin console and set storage limits. However, to view storage data requires additional privileges. For a complete list, see the description of the Storage Admin role.

Trust Rules

Trust rules rights for managing Drive sharing:

• View Trust Rules—Admins can read the list of trust rules in the Rules list. To view rule settings details, admins also need the Organizational Units Read privilege.
• Manage Trust Rules—This privilege alone doesn't provide access to any settings in the Admin console. To manage trust rules, admins need the following privileges:
  • To turn trust rules on or off, admins need the Manage Trust Rules and Drive & Docs Settings privileges.
  • To create, edit, or delete trust rules, admins need the View Trust Rules, Manage Trust Rules, Drive & Docs Settings, Groups Read, and Organizational Units Read privileges.
  • To delete trust rules, admins need the View Trust Rules, Manage Trust Rules, and Drive & Docs Settings privileges.

Work Insights

This privilege is not automatically selected with the Service Settings privilege.

Admins can access data on the Work Insights dashboard. Data is available only for teams that have Work Insights turned on.

You can let users view data for all available teams or just specific teams, including organizational units, authorized groups, or teams in a manager's reporting line.

Related topics

• Control which data is available in Work Insights
• Grant access to Work Insights

YouTube

This privilege is automatically selected with the Service Settings privilege.

Admins with this privilege can:

• Restrict the YouTube videos that are viewable within your organization.
• Set different YouTube access levels (strict, moderate, unrestricted) for different organizational units.

For details, see Manage your organization's YouTube settings.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-06-15 UTC.