burger icon to open nav
X

about Workspace admins

A new Workspace for business account begins it's life with a single primary super admin, the person creating the account. As well as creating users, as I covered in the previous guide, super admins can create other admins or super admins to help them.

Workspace provides us with a range of preset admin roles, however: we can also create custom admin roles to suit our purpose. Here we'll take a look at how to create them and assign them specific roles and abilities.

Who can be a Workspace admin

Standard users cannot make themselves admins. Initially only the super admin can do this. But any user can be made an administrator.

With a company Workspace account, having a dedicated IT department, or specific hardware, is rarely needed. A single admin could easily deal with the entire IT infrastructure.

In medium to large sized companies: heads of each department, or at least someone in the department, could be given admin status.

With only a slight learning curve, there's no need for highly skilled technicians to handle a company's IT infrastructure.

What can Workspace admins do?

What powers these admins then have, such as creating and deleting user accounts, and even creating new admins, is determined by the super admin.

Here's a quick rundown of some of the duties an admin may be allowed to perform.

  • Create and delete users
  • Restore deleted user accounts (within 20 days of deletion)
  • Suspend and reinstate users
  • Create organisational units
  • Create and delete groups
  • Allow or prevent user access to certain applications

Types of Workspace administrators

There are a few different preconfigured admin roles which can be assigned without much effort. There's even a slight difference between super admins, which I'm going to cover next.

The difference between super and primary Workspace admins

As far as the ability to create new admins and other senior privileges, there's no difference between primary and super admin. The primary admin is in fact another type of super admin.

The difference lies in who receives billing information, important account notifications, and whose contact details appear in the company profile.

Only super admins can create other admins.

Who is the primary admin?

By default, the person who registered the account is the primary admin. Account related emails are sent to their personal email address, not their company one. However: this role can be allocated to someone else.

I'll cover this in more detail in the section below concerning the creation of super and other administrators.

User management administrator

A user admin has control over ordinary user accounts. Including creating and deleting them. This is one of the preconfigured admin roles available in the admin panel.

They can also reset user passwords but cannot create admins, nor make changes to other admins' accounts.

Group administrators

Groups are a fundamental part of teamwork and collaboration. Group admins have access to the admin console where they can create and delete groups, add users to and remove them from groups, and control access settings.

They cannot create or delete user accounts.

Workspace help desk administrators

Either company wide, or to certain organisational units, help desk admins are helpful for resetting passwords.

Workspace service administrators

To be fair, this role is about as useless as can be. They can turn access to some services on or off.

Workspace mobile administrator

Determine and allow users to access their data from mobile devices, along with setting up passwords and access to apps.

Should mobile devices be permitted, this privilege allows admins to sign them out of all devices. With android devices they can also delete data. A useful feature in the event of lost or stolen devices.

Workspace Google voice administrator

Google Voice is an optional VOIP paid service. Unless you've subscribed, you won't see any options for this feature.

Workspace reseller administrator

This admin role is only for resellers of Workspace accounts to businesses and is way beyond the scope of what this website is all about.

The qualifications required to become a reseller are vast and not required to administer a Workspace for business account.

Workspace custom administrator roles

This is where super admins can pick and mix the various privileges to create bespoke admin roles.

How to create admins and super admins

Whichever type of admin we're creating, we always start from the homepage and by clicking the Admin roles box.

Workspace admin homepage with all sections collapsed

This will take us to the admin roles listing showing the range of preset roles we can grant to any user.

The preset roles available when assigning admins

Hovering over a specific role will give us the options to:

  • Assign admin
  • View privileges
  • View admins
the options showed when hovering over a preset admin role

Clicking onView privileges will open a sidebar showing the privileges assigned to that role. Likewise with View admins.however: our focus in on Assign admin, beginning with super admins.

Making a Workspace super admin

Clicking on Assign admin will open a tab showing all admins, at the of which you'll see the option to Assign users. After clicking this you'll see an input field to find and select a user.

Once you've selected one user, you'll see the option to search for more at the top and blue button at the bottom to ASSIGN ROLE at the bottom.

Anyone with super admin status also inherits the privileges of all the other admin roles. While it is highly recommended that a company has at least two super admins, they should be created sparingly.

Assigning other admin roles

Return back to the admin roles listing and hover over a role of your choice before clicking Assign role.

If you haven't assigned your chosen role previously, you see an empty listings page. Once again, click Assign users. Then select the user(s) you wish to assign the role to.

Unassigning an admin role

Follow the same path used to create an admin until you reach the listing of the different types of roles.

Hovering over an admin role will give you the option to view admins with that particular role. Clicking that option will open up the sidebar showing all the admins with that role.

Once you have the correct role, close the sidebar and again hover over the role listing. Then click Assign role. This will then display a list of users with that role.

Hover over the person's listing you want to unassign and click Unassign role. You'll then get a prompt informing you that the user will instantly lose their privileges and the options to cancel or unassign.

Can a user have multiple admin roles?

The super admin role encompasses all roles. We can give users more than one admin roll, right up to the point where they have them all, apart from super admin.

Doing so requires us to add them to each role individually, which is more than a little tedious. I find it easier to create custom admin roles which include all the desired privileges. Keep reading and you'll see what I mean.

Workspace: how to create custom roles

The preconfigured roles, although useful, obviously cannot meet everyone's needs. Sometimes: giving an admin multiple roles provides a better solution. However: keeping track of which admin has what roles can itself create problems.

Now we know what privileges are available, we can begin to create our own bespoke roles.

If circumstances allow, create a single dedicated IT admin, essentially a second level super admin. For small businesses with not too many employees, a part time employee will suffice.

Another option is to create a role for departments and let someone in each department manage their own.

Finding and creating roles

In case you've skipped the previous topic, I'll start on the Workspace admin homepage and click on the Admin roles box. This will open a tab with all the ready made admin roles.

However: it's not these we're interested in. Above those you'll see the Create new role. Clicking on this will open the role info box, where you name and describe your new admin role. I try to make the names as intuitive as possible.

First part of creating a custom role, asking for role name and description

After clicking the blue CONTINUE button, things may appear a little daunting, but don't worry, the difficulty I faced was understanding all the different privileges, and adopted the principle: if in doubt, leave it out.

I'm going to go through the list of privileges, give you a brief explanation and discuss the options of the more important ones.

Admin console privileges: Organisational units

Options for setting organisational units when creating a custom role

The first on the list is organisational units (OU)s, of which there are four options;

  • Read: Permission to see members of OUs and what access to services they have
  • Create: Permission to create OUs
  • Update: Move users between OUs
  • Delete: Delete OUs

Clicking the checkbox to the left of the privilege name activates all it's features. While you can select them individually, try to remember not all of them are mutually exclusive,

If I select any of: create, update, or delete, common sense dictates that I must be able to read them, so selecting any of these three will automatically activate the read option.

As there is no option to allow the admin to only delete the OUs they create, I usually only allow super admins to delete organisational units.

That being said: as creating OUs is not an everyday task, this entire privilege is better assigned to a more centralised admin or super admin.

Admin console privileges: Users

The user privilege checkboxes are the same as the OU ones, with one exception: the update option has a dropdown with more refined options, including move, suspend and rename.

Checking the update box automatically includes all of those listed in the dropdown.

Again, allow all the features apart from delete, but with the occasional exception. Deleted user accounts can be restored within 20 days, making this a judgement call depending on the people in question.

Admin console privileges: Groups

Not much to worry about here. Anyone with permission to create groups can also add and remove users and delete the group.

Considering that groups are often an integral part of many departments, I always allow this.

Admin console privileges: Services

The list of services is quite substantial. Checking the Services box automatically gives privileges to many, but not all, features. However: if left unchecked, access to individual services can be granted.

Normally I would only allow this feature to a very select few. Instead I create another role I regard as second level admin, just below super admin. Giving it to many could result in a “too many cooks” scenario.

Admin console privileges: Security settings

Admins with this privilege will only have access to, or be able to edit, the security settings of standard users, not other admins. Features of this privilege are:

  • If two step verification has been turned on for the entire organisation ( not organisational unit) admins can turn it off for individual users
  • disable any security challenge for 10 minutes
  • Signing a user out of all devices and browsers by clearing sign-in cookies

Admin console privileges: Support

This feature determines whether an admin can contact Google support by: Chat, phone, or email

Different departments will undoubtedly encounter the same problems. Having each one going through the same support process is not good practice.

If not using a centralised admin it may be a good idea to form a group forum of departmental admins to share common problems and solutions.

Admin console privileges: Domain settings

Admins with this privilege can delete the entire Workspace account. I doubt I need to say anymore.

Admin console privileges: Reports

A privilege that allows admins to view:

  • Graphs that show service usage
  • User actions such as editing files
  • Changes that other admins carry out in the admin dashboard

This privilege is company wide and cannot be restricted to one or two OUs. However: if having an admin in each department, and as viewing usage in other departments shouldn't pose any problems, it's fairly safe to grant this privilege to all admins.

Complete creating your new admin role

We're almost there: click the blue CONTINUE. Review the privileges and click CREATE ROLE.

We've come full circle. You'll be directed to the new role page where you can add users to your custom role.

Now when you access the Admin roles from the admin homepage, you'll see the new role at the bottom of the admin roles listing.

How to delete a custom admin role

Deleting a custom role merely requires hovering over the role, clicking More and selecting Delete role