This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Admin Console Access (Possibly Read Only) for Technology Staff

Bill_Gibson
Contributor III

‎10-23-2023 11:31 AM - edited ‎10-23-2023 12:39 PM

Currently we limit GAC access to a small set of our senior technology staff.
Other technology roles have access to platforms that ingest data from GWfE and have differing levels of Active Directory Access (from which we still sync our user records and most groups).
As time goes on we are defining more groups only in the Google context, and continuing our transition towards the GWfE platform.

Are there read-only or limited scope permissions that you have found beneficial to provide additional visibility/delegate access within your technology staff?

Reply
6 REPLIES 6

Kim_Nilsson
Admin Moderator

‎10-23-2023 12:43 PM - edited ‎10-23-2023 12:50 PM

Read-only admin access

tl;dr: No.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to Kim_Nilsson

‎10-23-2023 12:48 PM - edited ‎10-23-2023 12:49 PM

Longer version - of read-only admin access...

  1. You can push data to Google Sheets or BigQuery, and visualise that with Looker Studio, which is read-only.
  2. You can give users read-only access via APIs, and then create web apps that can let them read a lot of stuff in any format you feel like coding.
  3. Do the same as #2 and then set up GAMADV-XTD3 with limited access, and let them play with that.
--
https://wheretofind.me/@NoSubstitute
Reply

Kim_Nilsson
Admin Moderator

‎10-23-2023 12:47 PM - edited ‎10-23-2023 12:49 PM

Limited/Delegated admin access

tl;dr: DEFINITELY!

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to Kim_Nilsson

‎10-23-2023 12:54 PM - edited ‎10-23-2023 12:55 PM

Longer version of limited/Delegated admin access

I can recommend doing this A LOT!

Keeping the number of superadmins to an absolut minimum (must be at least two!) is a very good idea.

But handing out lesser admin access, restricted to local or regional groups of users or devices is a great idea, and alleviates a lot of boring work, that those delegated admins can do instead of you.

You can create any combination of admin rights in the Admin Roles section, but the recommendation is to make sure to never mix global admin rights with restrict-able admin rights.

Global admin rights will always let the user affect all users, devices or other objects, like Group Admin.

Restrictable admin rights can be limited to OUs, like Reset Password, or Manage Devices.

Whenever a user needs to be able to do both, then create two separate custom admin roles, and assign them both, with the restrict-able set to the least access necessary.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

jasoncrcsd
Contributor II

‎10-24-2023 04:43 AM

We utilize this a lot. We have delegated accounts for admins at our schools to be able to reset student passwords and etc

0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎10-24-2023 05:05 AM

Yeah, I created SPOGOU for this particular purpose.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines