Skip to content
  • There are no suggestions because the search field is empty.

Understanding Role Permissions in gPanel

Understand and manage role permissions in gPanel to assign the right Google Workspace access levels and maintain admin control.

Contents

After you create a role, you will need to select the permissions for your new role. Look through the different permission sets, and decide what permissions your users need.
 

The permissions that have checkmarks next to them are permissions that the role currently has. Check or uncheck the box next to a permission to add or remove that permission from the role.

Once you have made your changes be sure to click Save or your work will be lost.

Administration Roles

Administration > General

  • Can view Roles: Allows the user to see the list of existing administrative roles and the permissions assigned to them.
  • Can view gPanel API: Allows the user to view the status and configuration of the gPanel API connection to Google Workspace.
  • Can view Domain Defaults: Allows the user to see the global default settings applied across the domain.
  • Can View Domain Service Errors: Allows the user to see technical error logs or service interruptions related to domain-wide syncs.
  • Can View My Account Page: Allows the user to view their own administrative account details and personal profile within gPanel.
  • Can view Labs: Allows the user to see the "Labs" section containing experimental features and beta tools.
  • Add gPanel Licenses: Allows the user to increase the seat count or purchase additional licenses for the gPanel platform.
  • Create Role: Allows the user to build entirely new custom administrative roles from scratch.
  • Delete Role: Allows the user to permanently remove existing administrative roles that are no longer needed.
  • Edit Role: Allows the user to modify the permissions and access levels of an existing role.
  • Rename Role: Allows the user to change the display name of a specific role for better organization.
  • Add Member to Role: Allows the user to assign specific employees to an administrative role, granting them the associated permissions.
  • Remove Member from Role: Allows the user to take away a user's administrative access by removing them from a role.
  • Can view Domain Default for Resource Calendar: Allows the user to see the default settings for how shared resources (like rooms) are managed.
  • Add Google Workspace Licenses: Allows the user to purchase or provision additional seats for the Google Workspace suite (Gmail, Drive, etc.).
  • Can view gPanel Admin: Allows the user to see the list of high-level administrators within the gPanel system.
  • Can update gPanel Admin: Allows the user to modify the status or details of other gPanel administrators.
  • Can view Authentication: Allows the user to see how users are logging into the system and the security protocols in place.
  • Can view Indexing: Allows the user to see the status of data synchronization tasks between Google and gPanel.
  • Can view IP Intrusion: Allows the user to view the security logs regarding unauthorized IP access attempts.
  • Create IP Intrusion User/IP Address: Allows the user to manually whitelist or blacklist specific users or IP addresses for security purposes.
  • Delete IP Intrusion User/IP Address: Allows the user to remove existing IP restrictions or whitelist entries.
  • Can enable/disable IP Intrusion: Allows the user to turn the entire IP-based security monitoring system on or off.
  • Can enable/disable API IP Intrusion: Allows the user to toggle security restrictions specifically for API-level calls based on IP location.
  • Can view Secondary Domains: Allows the user to see any additional domains or aliases linked to the primary Google Workspace account.
  • Can edit Secondary Domains: Allows the user to modify the configuration or settings of linked secondary domains.
  • Can view Timezone: Allows the user to see the current global time zone setting for the domain.
  • Can update Timezone: Allows the user to change the primary time zone for the entire organization's dashboard.
  • Can view Custom Labeling: Allows the user to see the custom branding or internal labels applied to the gPanel interface.
  • Can update Custom Labeling: Allows the user to change the branding, logos, or naming conventions within the gPanel UI.
  • Can view Google API Status: Allows the user to see if Google’s back-end services are running correctly or experiencing downtime.
  • Can Enable and Disable Lab Features: Allows the user to actively turn on or off the experimental "Beta" features in the Labs section.
  • Can get Google API Status Notifications: Allows the user to sign up for or manage alerts regarding Google service outages.
  • Can Access gPanel Data Security: Allows the user to enter the high-level security module to manage data protection settings.
  • Enable email notification outside domain: Allows the user to permit the system to send administrative alerts to email addresses not ending in the company domain.
  • View Session Timeout: Allows the user to see how long an administrator can stay inactive before being automatically logged out.
  • Can update Session Timeout: Allows the user to change the duration of time before the system forces a logout for security.
  • View Welcome Email Templates: Allows the user to see the design and text of the emails sent to new hires during onboarding.
  • View gPanel API Keys: Allows the user to see the secure keys used for external software integrations.
  • Delete API Keys: Allows the user to revoke and remove existing API keys to terminate external access.
  • Edit API Keys: Allows the user to modify the descriptions or settings associated with active API keys.
  • Create API Keys: Allows the user to generate new secure keys for third-party integrations or scripts.
  • Delete Welcome Template: Allows the user to remove specific onboarding email templates from the library.
  • Edit Welcome Template: Allows the user to change the wording, branding, or layout of an existing welcome email.
  • Create Welcome Template: Allows the user to build a new welcome email from scratch for different departments or roles.
  • Run User Indexing: Allows the user to manually trigger a data sync to update user profile information.
  • Run OrgUnit Indexing: Allows the user to manually trigger a sync of the Organizational Unit (OU) structure.
  • Run Group Indexing: Allows the user to manually trigger a sync of Google Groups membership and settings.
  • Run Calendar Indexing: Allows the user to manually trigger a sync of all shared and resource calendars.

Administration > Logs

  • Can view App Logs: Allows the user to access and search the internal audit trail of gPanel, showing which administrators performed specific actions within the platform.
  • Export App Logs: Allows the user to download the application audit history into a CSV or spreadsheet format for external compliance reporting or long-term record keeping.
  • View gPanel API Logs: Allows the user to monitor the technical communication records between gPanel and Google's backend, used primarily to verify that data synchronization and commands are being processed successfully.

Administration > Settings

  • Can view Settings: Allows the user to access the general configuration area of the platform to review current system preferences, organizational details, and global operational parameters without the ability to modify them.

Admin Report Roles

  • Can view Admin roles: Allows the user to access and review the full directory of administrative roles configured within the system, providing visibility into the names and definitions of all available permission sets without the ability to assign or modify them.

API Roles

  • Invoke Policy: Allows the user to manually trigger any general automated policy or workflow that has been pre-configured in the system, such as security updates or setting changes.
  • Invoke New User Policy: Allows the user to manually start the "Onboarding" automation for a specific account, which automatically sets up standard features like email signatures, folder structures, and group memberships for a new hire.
  • Invoke Decommission Policy: Allows the user to manually trigger the "Offboarding" workflow for a departing employee, which typically handles tasks like data transfer, revoking access, and archiving the account.

Billing Roles

  • Can use saved payment methods for license purchases: Allows the user to select and charge existing, verified credit cards or bank accounts when buying additional seats for the organization.
  • Can add payment methods: Allows the user to securely input new credit card or bank account information into the system for future billing.
  • Can edit payment methods: Allows the user to update details on existing financial accounts, such as updating an expiration date or a billing address.
  • Can remove payment methods: Allows the user to delete outdated or unused credit cards and bank accounts from the organization's profile.
  • Can view payment methods: Allows the user to see the list of active payment sources and their basic details (e.g., the last four digits of a card) without being able to modify them.
  • Can change the auto pay source: Allows the user to designate which specific saved payment method should be used for the automatic recurring monthly subscription.
  • Can view domain and company settings: Allows the user to access and review high-level organizational data, such as the legal company name and address used for invoicing.
  • Can add billing contacts: Allows the user to designate new individuals (such as an accounting department member) to receive financial notifications and invoices.
  • Can edit billing contacts: Allows the user to modify the contact information, such as names or email addresses, for people currently receiving billing alerts.
  • Can remove billing contacts: Allows the user to stop specific individuals from receiving future invoices or financial communications.
  • Can change primary billing contact: Allows the user to select the specific person who serves as the main point of contact for all critical financial and payment-related issues.
  • Can add licenses: Allows the user to increase the organization's subscription count by purchasing more user seats for gPanel or Google Workspace.

Calendar Roles

  • Can view Resource Template: Allows the user to view pre-defined templates used to standardize settings across multiple resource calendars.
  • Create Resource Template: Allows the user to design and save new templates that can be applied when creating future rooms or equipment.
  • Delete Resource Template: Allows the user to permanently remove standardized templates from the system library.
  • Edit Resource Template: Allows the user to modify the configurations, rules, or naming conventions within an existing resource template.
  • Can view Calendar Resources: Allows the user to see the list of all physical resources (rooms, vehicles, projectors) currently tracked in the domain.
  • Create Resource Calendar: Allows the user to add a new physical resource to the organization’s directory and generate its associated calendar.
  • Delete Resource Calendar: Allows the user to remove a physical resource and its calendar entirely from the Google Workspace environment.
  • Edit Calendar Resource: Allows the user to change the basic settings or identity of an existing resource calendar.
  • View Calendar Resource Events: Allows the user to see the specific meetings, times, and organizers currently booked for a resource.
  • Add Resource Calendar Events: Allows the user to manually schedule and book a reservation directly on a resource's calendar.
  • Remove Resource Calendar Events: Allows the user to cancel or delete existing reservations and meetings from a resource’s schedule.
  • Update Resource Calendar Events: Allows the user to reschedule or modify the details of meetings already booked on a resource's calendar.
  • Add Share to Resource Calendar: Allows the user to grant specific individuals or groups the permission to view or manage a resource’s calendar.
  • Remove Share from Resource Calendar: Allows the user to revoke a person’s or group's access to a specific resource's calendar.
  • Edit Share of Resource Calendar: Allows the user to change the level of access (e.g., from "View Only" to "Manage") for a person currently sharing the calendar.
  • View Resource Calendar Shares: Allows the user to see the list of all people and groups who currently have access to view or edit a resource's schedule.
  • View Calendar Resources Beta: Allows the user to access and view resource calendars through the experimental "Beta" interface for testing new features.
  • View Resources By Building: Allows the user to filter and view the directory of resources organized by their specific physical building location.
  • Create Resource Calendar Beta: Allows the user to test the creation of new resource calendars using the experimental "Beta" workflow.
  • Edit Calendar Resource Beta: Allows the user to modify resource settings using the updated experimental "Beta" management tool.
  • Edit Calendar Resource Common Name: Allows the user to change the primary display name (e.g., "Main Boardroom") that users see when booking.
  • Edit Calendar Resource Category: Allows the user to classify the resource (e.g., as a Meeting Room, Other, or Handheld device).
  • Edit Calendar Resource Type: Allows the user to specify the exact nature of the resource for better filtering in the directory.
  • Edit Calendar Resource Building: Allows the user to assign or move a resource to a specific building in the company’s physical location list.
  • Edit Calendar Resource Floor: Allows the user to designate exactly which floor of a building a resource is located on.
  • Edit Calendar Resource Floor Section: Allows the user to specify a precise zone or wing of a floor for the resource (e.g., "North Wing").
  • Edit Calendar Resource Capacity: Allows the user to set or change the maximum number of people allowed in a specific room or resource.
  • Edit Calendar Resource Features: Allows the user to list specific amenities for a resource, such as "Video Conferencing" or "Whiteboard."
  • Edit Calendar Resource User Visible Description: Allows the user to write or change the public-facing description that employees see when booking the resource.
  • Edit Calendar Resource Internal Description: Allows the user to add or modify private administrative notes about a resource that are not visible to general users.
  • Delete Resource Calendar Beta: Allows the user to test the removal and deletion of resources through the experimental "Beta" interface.

Calendars > User Calendars

  • Can view Calendars: Allows the user to look up and view the existence and basic details of individual employee calendars within the domain.
  • Create Calendars: Allows the user to generate new secondary calendars on behalf of a specific user account.
  • Delete Calendars: Allows the user to permanently remove secondary calendars from a user's account.
  • Add Share to Calendar: Allows the user to grant other people or groups access to view or manage a specific user's calendar.
  • Edit Calendars Shares: Allows the user to change the level of access (e.g., changing from "See only free/busy" to "Make changes to events") for existing calendar collaborators.
  • Remove Calendars Shares: Allows the user to revoke a person's or group's access to a shared calendar.
  • Rename Calendars: Allows the user to change the display title of a calendar (e.g., changing "Project X" to "Project X - Archive").
  • Edit Calendar Color: Allows the user to change the background color assigned to a calendar to help with visual organization in the UI.
  • Edit Calendar Location: Allows the user to set or update the primary physical or geographic location associated with a specific calendar.
  • Edit Calendar Description: Allows the user to provide or modify a written explanation of the calendar's purpose.
  • Edit Calendar Timezone: Allows the user to set the specific time zone for a calendar to ensure events are synchronized correctly for global teams.
  • Edit Calendar Visibility: Allows the user to toggle whether a calendar is hidden or visible within the organization’s directory.
  • Can Enable Event Editing: Allows the user to grant permissions that specifically let others modify the details of meetings on that calendar.
  • View Calendar Events: Allows the user to see the specific details of individual appointments, including meeting names, times, and attendees.
  • Add Calendar Events: Allows the user to schedule and create new meetings or appointments directly on a user’s calendar.
  • Remove Calendar Events: Allows the user to delete specific, individual meetings from a calendar.
  • Remove All Calendar Events: Allows the user to wipe a calendar clean by deleting every single meeting and appointment currently scheduled on it.
  • Update Calendar Events: Allows the user to modify the details of existing meetings, such as changing the title or description.
  • Move Calendar Events: Allows the user to reschedule events by changing the date or time, or moving them to a different calendar.
  • View Features: Allows the user to see the list of physical amenities (like "High-speed Wi-Fi" or "Catering") available to be assigned to resources.
  • Create Features: Allows the user to define new types of equipment or amenities that can be tagged to company resources.
  • Edit Features: Allows the user to modify the name or settings of existing equipment/amenity tags.
  • Delete Features: Allows the user to remove specific amenity tags from the global list.
  • View Buildings: Allows the user to see the list of physical office buildings and sites registered in the company directory.
  • Create Buildings: Allows the user to register a new physical office location or building in the system.
  • Edit Buildings: Allows the user to change the name, address, or details of an existing building.
  • Delete Buildings: Allows the user to remove a building from the directory.
  • Can Transfer Calendars: Allows the user to move the complete ownership and all contents of a calendar from one user to another (critical for employee offboarding).
  • Can view Calendar Transfer Logs: Allows the user to access a history of who moved which calendars and when, providing an audit trail for data migration.

Chrome Management API Roles

  • Can view Telemetry Information: Allows the user to access real-time and historical health data for Chrome devices, including CPU usage, memory status, network connection quality, and device temperature for monitoring system performance.
  • Can view Apps Information: Allows the user to view the inventory of installed applications and extensions across managed Chrome browsers and devices, including version numbers, permissions, and installation sources.

Directory Roles

Directory > Contact Sync

  • Can view Contact Sync: Allows the user to access the Contact Sync module and see the list of active synchronization rules that share contact information across the organization.
  • Can view Contact Sync Users: Allows the user to see which specific employees or groups are included in or affected by a particular contact synchronization task.
  • Add Contact Sync: Allows the user to create new synchronization tasks that automatically push shared contacts or global address lists to specific users' personal contact managers.
  • Edit Contact Sync: Allows the user to modify existing sync rules, such as changing the source of the contacts or adjusting the target audience.
  • Remove Contact Sync: Allows the user to delete synchronization tasks, which stops the automatic updating of shared contacts for the targeted users.
  • Remove Label For Contact Sync: Allows the user to specifically delete or detach the organizational labels used to categorize and group contacts during the synchronization process.

Directory > General

  • Edit General Information Section: Allows the user to modify basic user profile fields, such as display names, primary email addresses, and core account status.
  • Edit Directory Section: Allows the user to manage how users appear in the global directory, including settings for visibility and contact sharing.
  • Edit Content Control Section: Allows the user to manage the specific types of content and data fields that are accessible or visible within user profiles across the domain.
  • Edit Settings Section: Allows the user to change the administrative configurations for the directory module, governing how user data is structured.
  • Edit Permissions Section: Allows the user to define and modify who has the authority to view or edit specific pieces of directory information.
  • Edit Advanced Section: Allows the user to access and modify complex directory configurations, such as custom mapping and high-level system integrations.
  • View Group History Tab: Allows the user to see a chronological audit log of changes made to groups, including membership additions, removals, and setting updates.
  • Edit Relationships: Allows the user to define and update professional connections within the directory, such as designating managers, assistants, or direct reports.
  • Edit Instant Messaging: Allows the user to add or update chat handles and messaging service IDs (like Google Chat or external IM protocols) on a user's profile.
  • Edit External Ids: Allows the user to manage non-Google identifiers, such as employee ID numbers or system-specific keys from external HR platforms.
  • Edit Custom Attributes: Allows the user to create and modify specialized data fields that are unique to the organization’s needs (e.g., "T-shirt Size" or "Security Clearance Level").
  • Can Edit Employee Information: Allows the user to modify HR-specific details within the profile, such as job title, department, office location, and employee type.
  • Add all current and future users within domain: Allows the user to create "catch-all" rules that automatically include every existing and newly created user into a specific directory group or policy.

Directory > Groups

  • Can view Groups: Allows the user to search for and see the list of all Google Groups (mailing lists) existing within the organization’s domain.
  • Can view Group Templates: Allows the user to access and review standardized group settings that have been saved to be used as blueprints for new groups.
  • Edit Group Security Settings: Allows the user to modify who can post to the group, who can join, and who can view the member list, ensuring the group remains private or public as needed.
  • Edit Group Labels: Allows the user to add or change organizational tags on groups to make them easier to categorize and search for within gPanel.
  • Edit Group Member Expiration: Allows the user to set or change "sunset" dates for group members, automatically removing them from the group after a specific period of time.
  • Clone Group: Allows the user to create an exact copy of an existing group's settings, members, and permissions to quickly set up a similar mailing list.
  • Create Group: Allows the user to set up an entirely new Google Group or mailing list from scratch.
  • Delete Group: Allows the user to permanently remove a Google Group and its history from the domain.
  • Add Group Aliases: Allows the user to create additional email addresses that forward to the main group (e.g., info@company.com and help@company.com both going to the same group).
  • Remove Group Aliases: Allows the user to delete secondary email addresses associated with a group.
  • Add Member to Group: Allows the user to add internal employees or existing directory users to a group’s membership list.
  • Add External Member to Group: Allows the user to add email addresses from outside the company domain (e.g., contractors or vendors) to a group.
  • Remove Member from Group: Allows the user to take away a person's membership from a group, stopping them from receiving further group emails.
  • Edit Role of Group Member: Allows the user to change a member's status within a group, such as promoting a "Member" to an "Owner" or "Manager."
  • Create Group Template: Allows the user to save a specific configuration of group settings as a template for future use.
  • Edit Group Template: Allows the user to modify the rules and configurations of an existing group template.
  • Delete Group Template: Allows the user to permanently remove a group template from the administration library.

Directory > GTalk

  • Edit gTalk Assistant: Allows the user to configure and modify the settings for the automated chat assistant, including its response behaviors, status updates, and interaction rules within the organization's messaging environment.

Directory > Org Units

  • Can view Organizational Units: Allows the user to see the hierarchical structure (the "tree") of the organization, including all parent and child departments or branches.
  • Add Organizational Units: Allows the user to create new departments or subgroups within the organizational structure to better organize users and apply specific policies.
  • Edit Organizational Units: Allows the user to modify the details of an existing department, such as renaming it or moving its position within the company hierarchy.
  • Remove Organizational Units: Allows the user to delete a department or subgroup from the domain (typically requires the unit to be empty of users first).
  • Change Organizational Units' Membership: Allows the user to move employees from one department to another, which often automatically updates the apps and security settings that apply to those users.

Directory > Shared Contacts

  • Can view Shared Contacts: Allows the user to access and browse the organization’s Global Address List (GAL), which contains external contacts (like vendors or clients) that are shared across the entire company.
  • Add Shared Contacts: Allows the user to create new external contact entries in the global directory, making them searchable and available to all employees within the domain.
  • Edit Shared Contacts: Allows the user to modify the details of existing global contacts, such as updating phone numbers, email addresses, or job titles.
  • Remove Shared Contacts: Allows the user to permanently delete external contact entries from the organization’s shared directory.
  • Clone Shared Contacts: Allows the user to create a duplicate of an existing shared contact, making it easier to add multiple individuals from the same external company or department.

Directory > Users > Profile

  • Can view User Profiles: Allows the user to look up and open individual employee profile pages to see their contact details, job history, and account status.
  • Edit Email Addresses: Allows the user to add, change, or remove secondary email addresses and aliases for an employee's account.
  • Edit Phone Numbers: Allows the user to update work, mobile, or home phone numbers listed on a user’s internal company profile.
  • Edit Organizations: Allows the user to modify an employee's professional details, such as their job title, department name, cost center, and office location.
  • Edit Addresses: Allows the user to update the physical work or home addresses associated with a user’s contact record.
  • Edit Websites: Allows the user to add or update URLs on a profile, such as a personal portfolio, a LinkedIn profile, or a company biography page.
  • Edit Notes: Allows the user to add or modify administrative notes or descriptions within a user’s profile for internal tracking.
  • Edit Gender: Allows the user to update or correct the gender information listed in an employee's directory settings.
  • Edit Profile Picture: Allows the user to upload, change, or remove the official avatar or photo that represents the employee across Gmail and the company directory.

Drive Roles

Drive > General

  • Can view Drive Explorer: Allows the user to access the central file management interface to browse the folder structures of users and Shared Drives throughout the domain.
  • Can view Documents: Allows the user to see the metadata and titles of files within the Drive Explorer to identify specific content.
  • Can view Drive Search: Allows the user to access the advanced search engine used to locate specific files across the entire organization's Google Drive storage.
  • Take Action: Grants the user the authority to execute administrative commands (like moving or deleting) on files identified during a search or exploration.
  • Create Folders: Allows the user to generate new directories within a user's Drive or a Shared Drive to help organize data.
  • Move Doc: Allows the user to change the file path of a document, relocating it from one folder or Drive to another.
  • Trash Docs: Allows the user to move files into the "Trash" or "Bin," removing them from active view while still allowing for potential recovery.
  • Restore Docs: Allows the user to pull files out of the Trash and return them to their original location in Google Drive.
  • Permanently Delete Docs: Allows the user to bypass the Trash and completely erase files from Google’s servers, making them unrecoverable.
  • Rename Docs: Allows the user to modify the file names of documents and folders within the domain.
  • View Doc Shares: Allows the user to see a list of every person or group who currently has access to a specific file or folder.
  • Change Organizational Unit: Allows the user to move a file's ownership or management context to a different department or branch within the company hierarchy.
  • Edit Visibility on Docs: Allows the user to change the broad privacy settings of a file, such as making it "Public," "Anyone with the link," or "Restricted."
  • Edit Shares on Docs: Allows the user to manually add new collaborators or remove existing ones from a file's permission list.
  • Edit Starred Docs: Allows the user to toggle the "Starred" status on files to mark them as important or high-priority for the owner.
  • Copy Docs: Allows the user to create an exact duplicate of an existing file within the Drive environment.
  • Add Shortcuts: Allows the user to create "pointer" links to a file in multiple locations without duplicating the actual data.
  • Export Drive Search: Allows the user to download a list of search results into a CSV or spreadsheet for auditing and data analysis.
  • View Drive Sweeps: Allows the user to see the list of automated cleanup tasks (Sweeps) designed to manage files based on specific rules.
  • Create Drive Sweeps: Allows the user to set up new automated rules that scan and take action on files (like auto-trashing old files) on a schedule.
  • Start Drive Sweeps: Allows the user to manually trigger an automated Drive Sweep task to run immediately.
  • Edit Drive Sweeps: Allows the user to modify the criteria, filters, or actions of an existing automated Drive Sweep.
  • Enable/Disable Drive Sweep: Allows the user to toggle an automated cleanup task on or off without deleting the rule itself.
  • Delete Drive Sweeps: Allows the user to permanently remove an automated cleanup rule from the system.
  • Can use Drive Encryption: Allows the user to manage and apply encryption settings to files to ensure sensitive data is protected at rest.
  • Copy Shared Drive ID: Allows the user to copy the unique alphanumeric string that identifies a specific Shared Drive for use in scripts or API calls.

Drive > Shared Drives

  • Create Shared Drives: Allows the user to establish new Shared Drive containers where teams can store, search, and access files collectively rather than owning them individually.
  • View Shared Drives: Allows the user to browse and see a comprehensive list of all Shared Drives existing within the organization’s domain.
  • Update Shared Drive Permissions: Allows the user to manage membership by adding or removing users and groups, and changing their access levels (e.g., Contributor, Content Manager, or Manager).
  • Update Shared Drive Settings: Allows the user to modify administrative restrictions, such as preventing members from sharing files with people outside the organization or blocking non-members from accessing files.
  • Rename a Shared Drive: Allows the user to change the display name of an existing Shared Drive to reflect new projects or department names.
  • Delete a Shared Drive: Allows the user to permanently remove a Shared Drive and all of its contents from the domain (typically requires the Drive to be empty of files first).

Drive > Transfer

  • Can view Ownership Transfer Logs: Allows the user to access a detailed audit history of all file migrations within the domain, showing which files were moved, who the previous owner was, and who the new owner is.
  • Transfer Docs: Allows the user to reassign ownership of files and folders from one user to another (essential for offboarding employees to ensure the company retains access to their data).

gPanel Contact Roles

gPanel > Contacts

  • Can View gPanel Contacts: Allows the user to browse and search the internal database of contacts managed specifically within the gPanel platform.
  • Create gPanel Labels: Allows the user to create new organizational tags (labels) to categorize and group specific sets of contacts.
  • Edit gPanel Labels: Allows the user to rename or modify the settings of existing contact labels for better organization.
  • Add/Remove Labels from gPanel Contacts: Allows the user to assign or detach organizational tags to specific contacts, controlling how they are grouped.
  • Trash gPanel Labels: Allows the user to move unused or unwanted contact labels to the trash, removing them from the active list.
  • Add Users to gPanel Contact Labels: Allows the user to grant specific employees or internal users access to view or manage the contacts within a specific label.
  • Trash gPanel Contact: Allows the user to move specific contact entries into the trash to prepare them for deletion.
  • View gPanel Contact Label Logs: Allows the user to view the audit history of who created, edited, or moved contact labels and when.
  • Empty Trashed gPanel Contacts: Allows the user to permanently delete all contact entries currently sitting in the trash, freeing up space and ensuring data removal.
  • Recover Trashed gPanel Contacts: Allows the user to pull contact entries out of the trash and restore them to the active contact list.
  • Create gPanel Contact: Allows the user to manually add a brand-new contact entry into the gPanel contact manager.
  • Import gPanel Contacts: Allows the user to bulk-upload contact information from external files (like CSVs) into the gPanel system.
  • Recover Trashed gPanel Contact Labels: Allows the user to restore labels that were previously moved to the trash, along with their categorization data.
  • Empty Trashed gPanel Contact Labels: Allows the user to permanently erase all labels currently in the trash so they can no longer be recovered.
  • Export gPanel Contact Label Logs: Allows the user to download the audit history of contact label changes into a file for external reporting or review.
  • Create gPanel Contacts Sync: Allows the user to set up a new automated synchronization task that keeps gPanel contacts updated with other external or internal sources.
  • Edit gPanel Contacts Sync: Allows the user to modify the rules, filters, or frequency of an existing contact synchronization task.
  • Delete gPanel Contacts Sync: Allows the user to permanently stop and remove an automated contact synchronization rule.
  • Edit gPanel Contact Details: Allows the user to modify specific information within a contact's profile, such as phone numbers, email addresses, and job titles.

Reporting Roles

Reporting

  • Can view Reports: Allows the user to access the reporting dashboard and browse through previously generated reports, providing insight into domain usage, security, and activity without the ability to create new ones.
  • Can run reports: Allows the user to select specific datasets, apply filters, and trigger the system to generate a fresh, real-time report based on current domain data.
  • Can run exports: Allows the user to download generated reports into external formats (such as CSV or spreadsheet files) for offline analysis, archiving, or sharing with stakeholders.

Rules Engine Roles

  • Can view Rules Engine: Allows the user to access the central Rules Engine interface to see the list of all automated workflows and administrative triggers active within the domain.
  • Can view a Rules details: Allows the user to click into a specific rule to inspect its logic, including the exact "if/then" conditions, filters, and the specific actions it is programmed to execute.
  • Can add Rules Engine rules: Allows the user to build and implement new automated rules from scratch, such as setting up a trigger to automatically move users to a specific Organizational Unit based on their job title.
  • Can change status on Rules Engine rules: Allows the user to toggle existing rules between "Active" and "Inactive," enabling them to pause automation without needing to delete the configuration.
  • Can delete Rules Engine rules: Allows the user to permanently remove an automated rule from the system library when it is no longer needed.

Tools  Roles

Tools > Bulk Operations

  • Can view Bulk Operations: Allows the user to access the Bulk Operations dashboard to monitor the status, progress, and history of large-scale administrative tasks.
  • Run Group Bulk Operations: Allows the user to perform mass updates to multiple Google Groups simultaneously, such as changing settings or descriptions across the board.
  • Run Users Bulk Operations: Allows the user to execute large-scale changes to user accounts, such as bulk-updating job titles, departments, or custom profile attributes.
  • Run Shared Contacts Bulk Operations: Allows the user to manage hundreds or thousands of external shared contacts at once, including mass additions or updates to the Global Address List.
  • Run Bulk Group Deletion Operations: Allows the user to permanently remove multiple Google Groups at once, significantly speeding up domain cleanup tasks.
  • Run Bulk Group Removal Operations: Allows the user to mass-remove specific members or subsets of users from multiple different groups in a single action.
  • Run Bulk Group Member Settings Update Operations: Allows the user to change the roles or notification preferences for large numbers of group members simultaneously (e.g., changing hundreds of "Members" to "Managers").
  • Run Bulk Assign Archive User Licenses: Allows the user to apply "Archived User" licenses to a large group of departing employees at once, preserving their data at a lower cost.
  • Run Bulk Profile Picture Upload: Allows the user to upload and assign profile photos for many users simultaneously using a structured file or folder.
  • Run Bulk Upload Users: Allows the user to create or update a large volume of user accounts at once by importing a CSV or data file.
  • Run Bulk Calendar Events Import: Allows the user to populate calendars with a high volume of meetings or appointments by importing them from an external data source.
  • gPanel Role Import: Allows the user to bring in pre-defined role configurations from an external file to quickly set up administrative permissions without manual entry.

Tools > Decommissioning

  • Can view Decommissioning Processes: Allows the user to access the decommissioning dashboard to review existing automated offboarding workflows and monitor the status of users currently being decommissioned.
  • Create Decommissioning Processes: Allows the user to build new automated offboarding sequences, defining specific steps like resetting passwords, hiding from the directory, and transferring Drive files.
  • Edit Decommissioning Processes: Allows the user to modify the steps, timing, or logic of an existing offboarding workflow to keep it aligned with company policy.
  • Delete Decommissioning Processes: Allows the user to permanently remove a decommissioning template or workflow from the system.
  • Run Decommissioning Process: Allows the user to manually trigger a specific offboarding sequence for a departing employee.
  • Copy Decommissioning Process: Allows the user to duplicate an existing offboarding workflow, making it easier to create variations for different departments or regions.
  • Disable Decommissioning Process: Allows the user to deactivate an offboarding workflow so it cannot be triggered, without needing to delete the configuration.
  • Enable Decommissioning Process: Allows the user to reactivate a previously disabled offboarding workflow.
  • Pause User Decom Processing: Allows the user to temporarily halt an active offboarding sequence for a specific individual, preventing further steps (like data deletion) from occurring.
  • Unpause User Decom Processing: Allows the user to resume a previously paused offboarding sequence, picking up exactly where the process left off.
  • Purge Decom User: Allows the user to bypass the standard waiting period and immediately remove all data associated with a decommissioned user for final cleanup.
  • Terminate Decom User: Allows the user to instantly end the decommissioning sequence and move the user account to its final "terminated" or "deleted" state.

Tools > Drive Tools

  • Run Bulk Drive Transfer: Allows the user to perform large-scale ownership migrations of Google Drive files and folders from multiple source users to multiple destination users simultaneously, facilitating smooth data transitions during large department restructures or mass employee offboarding.

Tools > General

  • Can view gTalk Assistant: Allows the user to access the configuration and logs for the automated chat assistant to monitor its activity.
  • Run Docs Modified in Last 14 Days Report: Allows the user to generate a list of all files in the domain that have been edited within the last two weeks for auditing recent activity.
  • Run Docs Modified in Last X Days Report: Allows the user to run a custom-range report to identify files modified within a specific number of days defined by the admin.
  • Run Docs Over 100MB Report: Allows the user to identify exceptionally large files that may be consuming significant storage quotas across the organization.
  • Run Docs Over 10MB Report: Allows the user to find moderately large files to help manage storage and identify data-heavy documents.
  • Run Docs Shared Externally Report: Allows the user to audit security by listing all files that have been shared with users outside of the company domain.
  • Run Docs Shared Publicly Report: Allows the user to identify files that are visible to anyone on the internet, a critical step for preventing data leaks.
  • Run Docs Shared With Groups Report: Allows the user to see which documents are accessible to entire Google Groups rather than specific individuals.
  • Run Docs Shared With Domain Report: Allows the user to identify files that have been shared with everyone inside the organization.
  • Run Docs Shared With Link Report: Allows the user to find files that can be accessed by anyone who possesses the specific document URL.
  • Run Docs With MP3 Extension Report: Allows the user to scan for audio files, often used to monitor for non-work-related media or storage policy violations.
  • Run Group Report: Allows the user to generate a comprehensive overview of all Google Groups, including their settings and basic metadata.
  • Run Group Membership Report: Allows the user to pull a detailed list of every user and their corresponding group memberships across the domain.
  • Run Groups With No Owners Report: Allows the user to identify "orphaned" groups that lack an assigned owner, which is essential for maintaining administrative accountability.
  • Run Users who are not member Of any Group: Allows the user to identify "isolated" users who may have been missed during onboarding or department assignments.
  • Run License Types Report: Allows the user to see a breakdown of which Google Workspace or gPanel licenses are assigned to specific users.
  • Run Orgs Member Count Report: Allows the user to see the total number of employees assigned to each Organizational Unit (OU).
  • Run Orgs With No Members Report: Allows the user to identify empty departments or branches in the directory that may need to be cleaned up.
  • Run Send As Addresses: Allows the user to generate a report of all "Send Mail As" aliases configured by users, helping to monitor email spoofing or alternate identities.
  • Run Shared Contact Report: Allows the user to view a list of all external contacts currently stored in the Global Address List.
  • Run Site Ownership: Allows the user to identify the owners and creators of all Google Sites built within the domain.
  • Run Two Factor Enrolled Report: Allows the user to audit security compliance by seeing which users have (and have not) enabled 2-Step Verification.
  • Run Clear Users From Group Operations: Allows the user to execute a mass-removal of all members from a specific group in one action.
  • Run Clear Users Meeting Operation: Allows the user to bulk-cancel or remove specific users from calendar invitations and scheduled meetings.
  • Run Multiple User Vacation Responder Operation: Allows the user to set or disable out-of-office auto-replies for multiple employees simultaneously.
  • Run Bulk Force Password Reset Operations: Allows the user to require a large group of users to change their passwords at their next login for security purposes.
  • Run Bulk Force Sign Out Operations: Allows the user to remotely terminate the active sessions of multiple users, forcing them to log back in (critical during security breaches).
  • Run Bulk Remove Shares Operations: Allows the user to mass-revoke access to files and folders for a large group of users at once.
  • Run Bulk Delete Shared Contacts Operations: Allows the user to perform a mass-deletion of external contacts from the organization's shared directory.
  • Run Bulk Delete Personal Contacts Operations: Allows the user to remove contact entries from the individual "My Contacts" section of multiple user accounts.
  • Run Bulk Calendar Permission Settings: Allows the user to update the sharing and visibility settings of multiple calendars across the organization in a single task.
  • Run Resource Event Remover: Allows the user to bulk-clear old or recurring meetings from resource calendars (like conference rooms) to free up availability.
  • Delete User from Decom: Allows the user to manually remove a user from an active decommissioning queue, stopping the offboarding process for that individual.
  • Run Abandoned Calendar Events: Allows the user to identify and remove recurring meetings that no longer have any active internal attendees, reclaiming room and time availability.

Tools > Gmail Search/Export

  • Can view Gmail Export: Allows the user to see a list of previously generated email exports and their current processing status.
  • Create Gmail Export: Allows the user to package and prepare specific sets of email data into downloadable files for legal review or archiving.
  • Delete Gmail Export: Allows the user to permanently remove generated export files from the system after they are no longer needed.
  • Download Gmail Exports: Allows the user to save the generated email data files to their local machine or secure storage.
  • Set the Encryption Key: Allows the user to establish the security credentials required to protect and access exported email data.
  • Create Gmail Search: Allows the user to define and save specific search criteria (such as keywords, date ranges, or senders) to locate emails across the domain.
  • Delete Gmail Search: Allows the user to remove saved search configurations from the Gmail management library.
  • View Gmail Search: Allows the user to browse the list of existing saved search queries created by themselves or other admins.
  • Run Gmail Search: Allows the user to execute a query across the organization’s mailboxes to identify specific messages.
  • Preview Gmail Search: Allows the user to see a sampling of the results from a search query to verify accuracy before committing to a full export or action.

Tools > Logs

  • Can view Account Audit: Allows the user to access and review the security audit logs for individual accounts, tracking login history, password changes, and other account-level security events.
  • Can view cPanel Logs: Allows the user to view the administrative activity logs within the gPanel platform (formerly known as cPanel), providing a record of which admins performed specific actions or changes.
  • Run Time and IP Address Report of Logged In Users: Allows the user to generate a report showing exactly when users logged in and the specific IP addresses they used, which is essential for identifying unauthorized access or geofencing violations.

Tools > Mobile Management

  • Can view Mobile Management: Allows the user to access the mobile device inventory to see a list of all smartphones and tablets that are registered with the organization's management system.
  • Can view Chrome Devices: Allows the user to browse the list of managed ChromeOS devices (Chromebooks, Chromeboxes), including their serial numbers, status, and assigned users.
  • Approve Mobile Devices: Allows the user to authorize a new mobile device to access corporate data when the organization requires administrator approval for enrollment.
  • Block Mobile Devices: Allows the user to temporarily prevent a specific mobile device from syncing corporate email or accessing company apps without deleting the device record.
  • Delete Mobile Devices: Allows the user to permanently remove a device record from the management console, typically used when a device is no longer in service.
  • Remote Wipe Mobile Devices: Allows the user to perform a "Factory Reset" on a lost or stolen device, erasing all data (both personal and corporate) to ensure security.
  • Remote Wipe Account Only Mobile Devices: Allows the user to perform a "Selective Wipe," which removes only the organization's data (work email, files, and apps) while leaving the user's personal photos and data intact.
  • Deprovision Devices: Allows the user to remove the management license from a Chrome device, effectively retiring it from the organization's fleet.
  • Disable Devices: Allows the user to lock a Chrome device remotely, showing a custom message on the screen and preventing any further use until it is re-enabled.
  • Enable Devices: Allows the user to unlock a previously disabled Chrome device, restoring it to full operational status.
  • Move Devices: Allows the user to relocate devices between different Organizational Units (OUs) to change which policies and settings are applied to them.
  • Run Mobile Device Report: Allows the user to generate a detailed summary of the mobile fleet, including OS versions, encryption status, and last sync times for auditing purposes.

Tools > Policies

  • Can view Policies: Allows the user to access the policy management dashboard and review the list of all active and inactive automated administrative policies.
  • Create Policy: Allows the user to build new automated sets of rules that apply specific actions to users or data when certain conditions are met.
  • Delete Policy: Allows the user to permanently remove an existing policy from the organization's library.
  • Edit Policy: Allows the user to modify the logic, scope, or specific actions of an existing policy to update how it manages the domain.
  • Copy Policy: Allows the user to duplicate an existing policy configuration, making it easy to create a similar rule set without starting from scratch.
  • Run Policy: Allows the user to manually trigger a policy to execute its actions immediately across the targeted users or documents.

Tools > Reports
Reporting Permissions

  • Can view Reports: Allows the user to access the reporting interface and see the list of available report types and previously generated results.
  • Create Report: Allows the user to build custom reports by selecting specific data points and filters.
  • Delete Report: Allows the user to remove saved report configurations or historical report results from the system.
  • Edit Report: Allows the user to modify the parameters of an existing report to change the data it captures.
  • Run All Reports: A master permission granting the user the authority to execute any report available within the gPanel platform.

Specific Security & Compliance Reports

  • Run docs that contain a CC number or SSN Report: A critical security audit that identifies documents containing sensitive Credit Card or Social Security numbers.
  • Run Docs Shared Externally Report: Identifies all documents that have been shared with users outside of the company domain.
  • Run Super Admin Report: Generates a list of all users with Super Admin privileges to ensure administrative access is tightly controlled.
  • Run Login Activity Report: Provides a history of user login events to monitor for unauthorized access.
  • Run Suspended User Report: Lists all user accounts that are currently disabled or suspended.
  • Run Two Factor Enrolled Report: Audits which users have successfully set up 2-Step Verification for their accounts.
  • Run Email Monitoring Report: Displays a list of mailboxes currently being monitored by other users or administrators.
  • Run Third Party Application Reports: Identifies external apps that have been granted access to the organization's Google data.
  • Run Export Admin Logs Reports: Extracts the audit trail of actions taken by administrators within the platform.

Drive & Storage Reports

  • Run Storage Report: Provides a breakdown of storage usage across the entire organization.
  • Run User Quota Report: Shows how much of their assigned storage limit each individual user has consumed.
  • Run File Hierarchy Reports: Visualizes the folder structure and organization of files within the domain.
  • Run Externally Owned Docs Report: Lists files stored in your users' Drives that are actually owned by accounts outside your domain.
  • Run Shared Drives Report: Generates an inventory of all Shared Drives and their current status.
  • Run Shared Drives Docs Shared Externally Report: Specifically targets files within Shared Drives that are shared with external parties.
  • Run Unmodified Documents Report: Identifies "stale" data by listing files that haven't been edited within a specific timeframe.

Communication & User Activity Reports

  • Run Email Activity Report: Provides statistics on sent and received email volume across the organization.
  • Run Gmail Breakdown Report: Offers a detailed analysis of email usage patterns, including internal vs. external communication.
  • Run Email Delegate Report: Lists all users who have granted someone else permission to read and send email on their behalf.
  • Run Email Forwarding Report: Audits all active email forwarding rules to ensure data isn't being sent to unauthorized addresses.
  • Run Approved Email Forwarding Report: Filters the forwarding report to show only those rules that meet company-approved criteria.
  • Run List User Gmail Filters Report: Allows an admin to see all the inbox filters (auto-labeling, auto-deleting) created by users.
  • Run Hangouts Report: Provides usage data for Google Hangouts/Chat communication.
  • Run User Usage Report: A broad report covering how active users are across various Google Workspace services.

Group & Calendar Reports

  • Run Group Member Count Report: Provides a quick view of the size of every Google Group in the domain.
  • Run Nested Group Reports: Identifies groups that are members of other groups, helping to map complex permission structures.
  • Run Empty Group Report: Lists Google Groups that have zero members and may need to be deleted.
  • Run Calendar Access Report: Audits the sharing settings of user calendars to see who has permission to view them.
  • Run Calendar Resource Report: Provides a status and usage summary of company resources like meeting rooms and equipment.
  • Run Calendar Events Report: Generates a list of scheduled meetings and events across the domain.
  • Run Abandoned Calendar Events Report: Identifies recurring meetings that are still taking up room space even though the organizer is no longer with the company.

Tools > Signature Templates

  • Can view Signature Templates: Allows the user to access the signature management dashboard and browse all created templates and their current deployment status.
  • Run Signatures Report: Allows the user to generate a detailed audit showing which users currently have a signature applied and whether it matches the official company template.
  • Create Signature Template: Allows the user to design new, standardized email signatures using HTML or a visual editor, incorporating dynamic fields like name, title, and phone number.
  • Delete Signature Template: Allows the user to permanently remove a signature design from the organization's library.
  • Edit Signature Template: Allows the user to modify the visual design, layout, or branding (such as logos and social media icons) of an existing signature.
  • Edit Signature Template Configuration: Allows the user to adjust the underlying rules of a template, such as which user attributes are pulled from the directory or how the signature is appended to emails.
  • Run Signature Template: Allows the user to manually trigger the deployment of a signature to a specific user, group, or organizational unit.
  • Run Bulk Signature Template Blocklist Status: Allows the user to generate a report on which users are currently prevented from receiving signature updates due to being on a blocklist.
  • Run Signature Template Report: Provides a comprehensive summary of how many users are successfully utilizing specific templates across the domain.
  • Update Signature Blocklist: Allows the user to add or remove specific employees from the "Blocklist," ensuring their personal signatures are not overwritten by the corporate template.
  • View Signature Blocklist: Allows the user to see the full list of individuals who have been exempted from the automated corporate signature updates.

User Portal Directory Search Roles

  • Can search for users: Allows the user to utilize the search bar to find specific employee profiles within the organization's directory using names, email addresses, or keywords.
  • Can search for groups: Allows the user to look up existing Google Groups (mailing lists) by name or email address within the platform.
  • Can view all users: Grants the user the ability to browse the entire directory list of active and suspended accounts across the entire organization.
  • Can view all groups: Grants the user the ability to see a comprehensive list of every Google Group configured within the domain.
  • Can view user's groups: Allows the user to look at a specific employee's profile and see a detailed list of every Google Group they are currently a member of.

User Roles

Users > Calendar

  • View Calendars Tab: Allows the user to access the dedicated Calendars section within a user's profile or the main dashboard to oversee schedules, resource availability, and calendar sharing settings.

Users > Devices

  • Bulk Update Devices: Allows the user to modify settings or metadata for a large number of devices (Mobile or ChromeOS) at once by importing a CSV or using a multi-select tool, rather than updating each device individually.
  • View Devices Tab: Allows the user to see the specific "Devices" section within a user's profile, providing a quick view of all hardware currently registered to that specific employee.

Users > Drive

  • View Drive Tab: Allows the user to access the "Drive" section within an individual's user profile, providing a high-level view of that specific user's file storage, usage statistics, and top-level folder structure.
  • View User Drive Search Tab: Allows the user to access a specific search interface dedicated to finding files owned by a particular user, making it easier to locate specific documents during audits or internal investigations.

Users > General
User Management & Profile Actions

  • Can view User Management: Grants access to the primary dashboard used to manage the lifecycle of employee accounts.
  • Create Users: Allows the user to provision new employee accounts within the domain.
  • Edit User Profiles During User Creation: Allows the user to populate specific details (like job title, department, or location) while the account is being set up.
  • Remove Users: Allows the user to permanently delete an account from the domain.
  • Suspend/Restore Users: Allows the user to temporarily deactivate an account (preventing access) or reactivate a suspended account.
  • Archive User: Allows the user to move a departing employee to an "Archived" status to preserve data at a lower license cost.
  • Activate User: Allows the user to move an archived account back to a fully active state.
  • Edit User's Name: Allows the user to modify the first or last name of an existing employee.
  • Edit User's OrgUnit: Allows the user to move a user from one Organizational Unit (OU) to another.
  • Edit Notes: Allows the user to add or modify administrative descriptions on a user's account profile.
  • Edit Recovery Email / Phone: Allows the user to update the security contact information used for account password resets.

Security & Access Control

  • Edit cPanel Admins / Edit cPanel Role: Allows the user to grant or revoke administrative privileges within the gPanel platform.
  • Edit gPanel Role: Allows the user to assign specific permission sets (roles) to other users.
  • Generate Backup Codes: Allows an admin to generate emergency login codes for a user who is locked out of their account.
  • Disable 2-Factor Authentication: Allows the user to turn off 2-Step Verification for a specific user, usually to troubleshoot login issues.
  • Sign-out User: Allows the user to remotely end an employee's active Google session.
  • Bulk Sign Out Users: Allows the user to force-logout multiple users across the organization simultaneously.
  • Logged In: Allows the user to view the real-time login status of an individual employee.

Bulk Operations (Users & Groups)

  • Bulk Add Users To Group / Bulk Add User To Groups: Allows the user to add many people to a single group, or one person to many groups, in a single action.
  • Bulk Remove Users From Group / Bulk Remove Groups From User: Allows the user to mass-clear memberships for many people at once.
  • Bulk Clear Users From Group: Allows the user to completely empty a group of all its members.
  • Bulk Change Member Role: Allows the user to mass-update the status of group members (e.g., changing "Members" to "Managers").
  • Bulk Suspend / Restore / Delete Users: Allows the user to perform account lifecycle actions on hundreds of users at once via CSV or list selection.
  • Bulk Change Users' OrgUnit: Allows the user to move large groups of people between different company departments or branches.
  • Bulk Change gPanel Role: Allows the user to update gPanel administrative permissions for a large group of users.

Bulk Data & Feature Management

  • Bulk Remove Shares: Allows the user to mass-revoke file sharing permissions across multiple user accounts.
  • Bulk Gmail IMAP / POP: Allows the user to enable or disable IMAP and POP access settings for multiple mailboxes at once.
  • Bulk Contact Sharing: Allows the user to mass-toggle the visibility of external contacts across the organization.
  • Bulk Delete Shared Contacts / Personal Contacts: Allows the user to perform large-scale cleanup of either the Global Address List or individual user contact lists.
  • Bulk Delete Groups: Allows the user to remove multiple Google Groups from the domain in one action.
  • Bulk Add / Delete Aliases: Allows the user to manage email aliases (alternate email addresses) for many users or groups at once.

Profile Tabs & Specific Data Access

  • View Aliases Tab / Add Aliases / Remove Aliases: Allows the user to manage alternate email addresses associated with a primary account.
  • Transfer Aliases: Allows the user to move an email alias from one user account to another.
  • View Profile Tab: Grants visibility into the primary data screen of a user's profile.
  • View Custom Attributes: Allows the user to see specialized data fields unique to the company (like "Employee ID" or "Shirt Size").
  • View Group Membership Tab / Add & Remove Members: Allows the user to manage which mailing lists a specific person belongs to from within their profile.
  • View Personal Contacts Tab / Add / Update / Export / Move / Remove: Grants full administrative control over an individual employee's private contact list.
  • Add / Edit / Remove Personal Contact Groups: Allows the user to manage the labels and organization of a user's private contacts.
  • Delegate Personal Contacts: Allows the user to grant one employee access to manage another employee's private contact list.

Advanced Audit & Monitoring

  • View Auditing Tab: Allows the user to see the audit trail of changes made specifically to a user's account.
  • Add / Edit / Remove Email Monitors: Allows the user to set up and manage "Email Monitors," which BCC a supervisor or admin on all incoming/outgoing mail for a specific account.
  • View Sites Tab: Allows the user to see a list of Google Sites owned by the specific user.
  • View Third Party Applications Tab / Revoke Auth Tokens: Allows the user to see which external apps have access to a user's data and disconnect them if necessary.
  • View User History Tab: Shows a timeline of administrative actions performed on a specific account.
  • Schedule User Status Update: Allows the user to set a future date and time for an account status change (such as scheduling a suspension for an employee's final day).

Users > Gmail

Gmail Bulk Operations

  • Bulk Add Gmail Label: Allows an admin to simultaneously create and apply a specific organizational tag to the mailboxes of multiple users at once.
  • Bulk Add Gmail Filter: Allows an admin to deploy standardized inbox rules (e.g., auto-labeling or auto-archiving) to a large group of users in a single action.

Gmail User Settings

  • View Gmail Settings Tab: Unlocks the primary management interface within a user's profile for overseeing their specific mailbox configuration and security options.
  • Add Gmail Account Delegation: Allows an admin to grant one employee the authority to read and send email from another user's account without needing their password.
    +1
  • Remove Gmail Account Delegation: Allows an admin to revoke a previously granted permission for someone to access another user's mailbox.
  • View Gmail Filters: Grants visibility into all automated rules a user has created to manage their incoming and outgoing mail.
  • Add Gmail Filters: Allows an admin to create new automated actions for a user's mailbox, such as marking specific senders as important.
  • Delete Gmail Filters: Allows an admin to remove existing inbox rules that may be conflicting with company policy or user workflows.
  • Add Gmail Send As: Allows an admin to configure alternate "from" addresses (aliases) that a user can use when composing new emails.
  • Remove Gmail Send As: Allows an admin to delete a user's ability to send emails from a specific secondary or alias address.
  • Add Gmail Label: Allows an admin to create a new organizational category within a specific user's mailbox.
  • Edit Gmail Label: Allows an admin to rename or modify the properties of an existing category in a user's Gmail account.
  • Delete Gmail Label: Allows an admin to permanently remove a specific tag and its categorization from a user's mailbox.
  • Add Gmail Pop Settings / Add Gmail Imap Settings: Allows an admin to configure how external mail clients (like Outlook or mobile apps) connect to and sync with the user's Google mailbox.
  • Set Gmail Vacation Message: Allows an admin to draft and implement an out-of-office auto-reply on behalf of a user who is away.
    +1
  • Enable/Disable Gmail Vacation Message: Allows an admin to toggle a user's out-of-office responder on or off.
  • Edit Gmail Forwarding: Allows an admin to manage where a user's incoming mail is redirected, including internal and external destinations.
  • Add Gmail Forward Address: Allows an admin to register a new verified destination for a user's incoming mail to be sent to.
  • Delete Gmail Forward Address: Allows an admin to remove a specific destination from a user's approved forwarding list.
  • Set Gmail Signature: Allows an admin to define or overwrite the text and branding that appears at the bottom of a user's outgoing emails

Users > Security

  • Bulk Force Password Reset: Allows the user to select multiple accounts and require those users to change their passwords upon their next login—an essential tool for security audits or after a suspected breach.
  • Create Random Password: Allows the user to generate a complex, system-assigned password for a user account, ensuring high entropy and security during account setup or recovery.
  • Set Custom Password: Allows the user to manually type in a specific password for an employee, often used when assisting a user with an immediate login need.
  • Force Password Reset: Allows the user to flag a specific account so that the employee is prompted to create a new password the moment they log in.
  • View App Password Tab: Allows the user to see which third-party applications or legacy devices (that don't support 2-Step Verification) have been granted unique app-specific passwords for the account.
  • Revoke App Specific Passwords: Allows the user to cancel and delete specific application passwords, instantly cutting off that app’s access to the user's Google data.

User View Roles

  • Edit Email Addresses: Allows the user to add, modify, or remove secondary email addresses and aliases associated with a user’s account.
  • Edit Phone Numbers: Allows the user to update work, mobile, and home phone numbers listed in a user's contact profile.
  • Edit Organizations: Allows the user to manage professional details such as job titles, departments, cost centers, and physical office locations.
  • Edit Relationships: Allows the user to define connections between users, such as designating a manager, an assistant, or other professional associations.
  • Edit Instant Messaging: Allows the user to update the chat handles or IM usernames (such as Google Chat or Skype) listed on a profile.
  • Edit Addresses: Allows the user to update physical mailing addresses for work or home locations.
  • Edit External IDs: Allows the user to manage unique identifiers from other systems, such as an external Payroll ID or an HRIS employee number.
  • Edit Websites: Allows the user to add or update URLs on a profile, such as a LinkedIn profile or a personal portfolio link.
  • Edit Notes: Allows the user to add or modify administrative descriptions or internal notes within a user’s record.
  • Edit Gender: Allows the user to update or correct the gender information listed in an employee's directory settings.
  • View Custom Attributes: Allows the user to see specialized data fields unique to your organization (e.g., "Security Clearance Level" or "T-Shirt Size").
  • Edit Custom Attributes: Allows the user to input or change data within those specialized, company-specific fields.
  • View All Groups: Grants the user the ability to see a comprehensive list of every Google Group (mailing list) created within the domain.
  • Create Group: Allows the user to establish new Google Groups for communication, collaboration, or permission management.
  • View Shared Contacts: Allows the user to browse the organization’s Global Address List (GAL) containing shared external contacts.
  • Add Shared Contacts: Allows the user to create new external contact entries that will be visible to everyone in the organization.
  • Edit Shared Contacts: Allows the user to update existing external contact information in the shared directory.
  • Delete Shared Contacts: Allows the user to permanently remove external contacts from the Global Address List.
  • View Directory Search: Allows the user to access and use the advanced search tools to find people and resources within the company directory.
  • Logged In: User Portal: Allows the user to sign in to the platform’s end-user interface to manage their own personal settings or assigned tasks.
  • Add all current and future users within domain: A powerful scoping permission that automatically applies the current role's rules to every existing account and any new account created in the future, ensuring total domain coverage.