Whenever you’re using a software service as an organization, different people within your organization will have different roles. Sometimes these roles are unofficial, but more often, the app or platform itself will have built-in roles that impact what the user in question can and can’t access.
G Suite is no different; it has both pre-built roles and the ability for an account owner to create custom roles.
So what are the existing roles, and what are the responsibilities of admins of G Suite? Read on to find out more.
G Suite’s Pre-Build Admin Roles
Admin roles in G Suite come in two forms: pre-built roles and roles that an owner can make.
- Pre-built roles come out of the box with G Suite and can be assigned to one or more users. They come with a predefined set of privileges and can be used as-is to manage G Suite users and settings.
- On the other hand, custom roles allow an admin to customize their own roles, defining what user privileges are granted and who is granted them.
Here’s a rundown of what each of the pre-built roles is and can do.
1. Super-Admin
Super Admins are the owners of a G Suite account. They have access to all features and the API and can manage anything and everything.
They can access all user calendars, all event details, and anything else. Moreover, every G Suite account must have at least one Super Admin.
Note: Google recommends having at least two in case one is compromised or lost since there’s otherwise very little recourse. Moreover, one of the Super Admins needs to be the billing admin and is known as the primary admin.
Unique features of a super admin include:
- Creating and assigning admin roles.
- Managing other super- and delegated admins.
- The ability to change admin passwords.
- Transferring file ownership when a user is deleted.
- Accepting new ToS documents for products.
- Inviting users to become Workspace Managed users.
- Restoring deleted users.
- Enabling or disabling two-factor authentication.
- Installing Workspace Marketplace apps.
- Managing calendar resources and access-level controls.
- Using the data migration service.
- Granting domain-wide API access.
- Setting up SAML identity provider and apps.
A super-admin is an essential role for any G Suite account, and every organization will have at least one.
2. Groups Admin
The group’s admin is the admin in control over Google Groups and can access various Groups-related tasks from either the admin console or the admin API.
A “Groups” admin can:
- View user profiles.
- View your organization structure.
- Create new user groups.
- Manage members of a group.
- Manage group access settings.
- Delete groups.
- View organizational units.
- Add and manage security labels on groups.
Further, both the Groups Reader and Groups Editor roles have the permissions of a Group Admin, except for the security labels feature, which is currently in beta.
3. User Management Admin
The user management admin is the “middle manager” of admin roles. They can perform actions on any account that isn’t an administrator account, but they’re prevented from performing such actions on administrator accounts.
They can:
- View user profiles.
- View your organization structure.
- View organizational units.
- Create user accounts.
- Delete user accounts.
- Rename users.
- Change user passwords.
- Manage user security settings individually.
- Perform a variety of basic admin tasks.
You can also restrict a user management admin to only a specific user group or allow them permission for all groups.
4. Help Desk Admin
The help desk admin is a simple admin role related specifically to support tasks for your organization. As such, they can only really do a few things. They can reset user passwords for non-admins, they can view user profiles and organizational structures, and can perform some other basic admin tasks.
Their role is essentially to be a help desk manager and troubleshooter, able to solve simple tasks before escalating to a higher-level admin role.
5. Services Admin
The services admin role is primarily focused on managing specific services in the admin console, mostly relating to Google Calendar, Google Drive, and Google Docs.
They can:
- Enable or disable specific services.
- Change service settings and permissions.
- Create, Edit, and Delete calendar resources (but not modify sharing settings).
- Manage Chrome and Mobile Devices.
- Manage Google Takeout settings.
- Use the Alert Center.
This, like other admin roles, can be limited to specific products and services by higher-level admins.
6. Mobile Admin
The mobile admin manages mobile devices authenticated as part of your organization, as well as endpoints through Google Endpoint Management.
They can:
- Provision devices.
- Approve devices.
- Manage apps.
- Block devices.
- Wipe devices and accounts.
- Set device policies.
- View users and groups in the domain.
Note that this is only available as a role to organizations that joined Google Workspace after February 2018. If you don’t have access to this role, you can create a custom role with the same responsibilities.
7. Storage Admin
As you might guess, Storage admins are primarily responsible for managing storage systems throughout your G Suite account. They’re essential for managing Google Workspace, and Google Drive shared storage and ensuring that individual users don’t eat up an entire organization’s storage cap.
As a storage admin, you can monitor and delete user data stored on G Suite services, including Gmail, Google Drive, and Google Photos. You can view usage reports for the account or on a per-user basis. You can also set up storage quotas for individual users or groups to ensure that everyone has enough space for their files without running out. Additionally, storage admins can purchase additional storage for their entire organization if needed.
8. Google Voice Admin
As you might imagine, the Google Voice admin manages your organization’s Google Voice system.
Google Voice admins can create user voice numbers, manage licenses, assign numbers to different users, delete numbers, change port numbers, and more. They can also configure settings such as call forwarding, voicemail, auto attendant systems, and emergency calls.
Admins can manage numbers and permissions for their organization’s entire Google Voice account, as well as any users assigned a Google Voice number. In addition, Google Voice admins can access detailed analytics about calls, texts, and voicemails sent and received through the system.
9. Reseller Admin
Reseller admins are a specific role that only applies to authorized resellers; if you’re part of this system, you likely already know how this works. Otherwise, you probably don’t need to care.
A Reseller Admin is a user who has full access to the G Suite control panel and its associated services; this means that the Reseller Admin can control every aspect of their customers’ G Suite accounts. These responsibilities include setting up and managing user accounts, adding and removing applications, controlling billing, and modifying subscriptions.
The Reseller Admin can also provide support to their customers on various issues. They can help troubleshoot problems and provide guidance when using the G Suite tools. In addition, they can manage licenses and make changes to service levels as needed.
In addition to the essential functions of a Reseller Admin, they can perform many other tasks, such as setting up user roles, creating custom reports, and managing the G Suite Marketplace.
Creating and Editing Custom Admin Roles
If there’s no specific Admin role that covers everything you want an admin to be able to do without giving them more power than you want them to have, you can create a custom role.
Here’s how.
- Sign into your Google Admin console using a Super Administrator account.
- Click on the Menu, then Account, then Admin Roles.
- Click Create New Role.
- Name the role, describe it, so you remember what it is, and click continue.
- Choose specific privileges you want the account to have from the available list.
- Click Continue and Create Role.
- Assign the role to a given user.
You can also edit and delete custom roles in the same menu using roughly the same process.
Note: In order to delete a role, you need to remove any users currently occupying that role. You also can’t delete the Super Admin role, and you can’t remove yourself from that role; only another Super Admin can remove a Super Admin.
What Are a G Suite Admin’s Core Responsibilities?
As a G Suite admin, you’re basically responsible for managing anything and everything as part of your organization’s Google usage. This involves managing storage, managing users, ensuring minimum viable access for users, and even auditing security periodically.
Specific duties and responsibilities can vary depending on your organization’s needs, but here are some common sets of responsibilities you may have.
1. Backing up data.
Maintaining data security and backups is a critical element of any organization. While using G Suite alone may not be the best option (there are many enterprise backup solutions available, and you want to make sure you use proper backup practices, like maintaining off-site backups, having a disaster recovery plan, and testing backups routinely to ensure they’re viable and working) you can do quite a bit of valuable management through G Suite admin privileges.
Google won’t back up your data by default. If a user accidentally (or maliciously) deletes data, you will need your own backups to be able to recover it. You can only get data backups from Google if you pay for some data storage features like Google Vault, but even that is limited.
There is a lesser-known option on Google’s Help Center for users who lost access to their files and had no backups called the Emergency File Recovery Tool. However, this tool only works with recently deleted files and on files you own, not those shared by someone else. You can read more about how this tool works and its limitations in my Google Drive file recovery article.
Note: Remember, Google Drive isn’t a backup unless you use it as such; it’s more of a collaborative tool. If a user deletes a file from Google Drive, there’s no Google Drive backup of it without you making one.
2. Manage user authentication.
User management and the principle of least privilege are essential to any organization.
The principle of least privilege, or PoLP, is an information security concept wherein any given user is given the access and permissions necessary to do their job and no more. You don’t want your normal users to have domain admin privileges, and you don’t want a middle manager to have super admin access.
The more access a user has, the more damage they can do if their account is compromised or they decide to act maliciously. Restricting every single user to the least amount of access necessary to do their jobs is critical. Part of this means you should have someone managing user access.
You should also make sure that everyone has and uses 2-step verification so that there’s an added layer of security over every account. There are a few 2-step verification methods; Google Authenticator, a security key, a Google prompt on mobile devices, or phone-based verification.
3. App auditing.
G Suite gives account owners access to a wide range of third-party apps. Some of these are available through the marketplace, while others are external and need to be given permission or their own (limited) accounts to access your system.
Part of your role should be to audit these apps periodically. Any app that isn’t in active use should be disabled or removed. Apps should also be audited to see what data they can access, how they can access it, and if they’ve ever accessed it.
Similarly, check if they need that data or if they’re scraping company data for unknown purposes.
Moreover, remember that apps can be malicious from the get-go or can be updated to include malicious code down the line, so auditing is never a one-and-done deal.
In general, it’s good practice to minimize the number of apps you use, give them as little access as you can, and be suspicious of any app that asks for information or access that it doesn’t seem like it should need. Never be afraid to look for a different vendor or service provider app if one starts to look sketchy.
4. Monitor usage and access.
Another core part of the admin’s job is to monitor usage and look for abnormalities. Users who have been compromised, users who are using company access for inappropriate or personal means, or users whose access logs contradict what they claim they do all day can be a sign of something wrong.
This can be anything from users exploiting systems to do less work than they should, users slacking off on company time or misusing company resources, or even malicious attacks or access by outside individuals.
You may also need to look for inappropriate use of storage space. A user storing personal data (or even NSFW data) on company drives should be audited. Even a user who doesn’t follow proper company data retention policies and stores files after they should be deleted needs to be addressed.
Unfortunately, there’s no easy way to flag user access or patterns as “abnormal” because “normal” varies from organization to organization. You will need to know what normal usage looks like for your users and for your organization and look for variance and differences.
5. Develop and use proper onboarding and offboarding policies.
Any time your company hires someone new, they need access to your systems. How do you give them access, when do they get it, and what level of access do they need? You should be able to have all of this information on hand during the hiring process.
Similarly, when a user leaves the company, you need to know how to handle their account. Typically, you will need to transfer ownership of files and processes, ensure that they have a successor if they were an admin of some sort, and take any actions necessary for tertiary parts of their account, like de-provisioning, wiping, or removing their mobile devices from the access list.
Obviously, all of this is highly variable and can depend a lot on what your organization needs, how large it is, and what your rules are regarding different devices, access policies, and more. It can take serious management thought to determine the extent of these responsibilities, who manages them, and how they work. Yet, getting them right on an ongoing basis is a critical part of managing G Suite for an organization.
Leave a Reply