Administrative roles allow you to provide trusted users with partial access to the Google Admin Console. Limited admin access minimizes the risk of accidental changes and compromised accounts. For example, you can delegate responsibility for user management, password resets, and app and extension approvals, without giving someone access to more sensitive areas of the console.  

There are several system roles that are available by default: 

• Super User – this is “god power.” Only 2-3 individuals should have this much access. 
• Services admin  – this role can modify policies throughout the console and is the second most powerful admin role.
• User management admin – this user can create, modify, and delete user accounts. This role can not change policy settings. 
• Help desk admin – this is a very limited role that can only reset passwords. 

👉 Take action: When I perform my Google admin audits I frequently find old accounts who have been granted sensitive admin access. Take five minutes right now and review your admin assignments to minimize potential security vulnerabilities. 

Related Post: Custom admin roles for managing Chromebooks

Lock changes to a specific OU

One way to provide limited access to the admin console is to restrict changes to a specific organizational unit. For example you might assign the user management role to a media specialist, but limit their access to the middle school. 

Steps to lock access to a specific organizational unit:

1. Assign a user to an admin role (standard or custom)
2. Look for the “organizational unit” option when confirming the role assignment.
3. Lock access to a specific OU and assign role.

Note: OU restrictions are not available for some roles including super user and services admin.

Create custom admin roles

In addition to the standard roles, you can create custom admin role to assign a limited set of privileges for special situations. Here are a couple of custom roles you should consider: 

• Chromebook administrator – you can assign device and/or browser management to this role and limit it to a specific building or grade level. 
• App Approvals – delegate the ability to approve Chrome extensions, android applications, and third party app approvals. 
• Google Vault – this custom role will allow a school administrator to view assigned vault investigations without giving full access to the vault. 
• Classroom Visitor – this role lets your instructional support staff access Google Classroom for any student or teacher in your organization (requires EDU Plus).

There aren’t enough hours in the day to accomplish everything you need to do! Use limited admin roles to delegate simple admin responsibilities to trusted teachers and administrators in your district!