Managing Google Apps for an entire organization is not always a one-size-fits-all job. Google Apps Administrators often need to securely share management responsibilities with others. These users may need to have access to certain administrative privileges like user creation, password resets or managing groups, but not to all of them. To address these needs, we’re launching Delegated Admin to our Business and Edu customers. With this new feature, your primary administrators or “Super Admins” can now offer other users specific administration controls.
Lukas Karlsson of the the Broad Institute summed it up, “I like the fact that I can create additional administrator accounts and grant them access to certain administrative functions without having to make them full-fledged administrators. Our organization is growing quite large and, as that happens, we want to grant more folks access to specific tabs in the control panel, so this is very useful.”
Joseph Dellano of Tempus Nova, Inc. believes, “this will be well-used by enterprises that have specific people in charge of of responsibilities like mailing list administration.” Specifically, a Super Admin can create a help desk for your organization by granting other administrators the minimal access necessary to do their jobs. Consider an example:
Collin is an IT Associate at your company who is responsible for helping employees who have lost their password or username. You can now give Collin the ability to access the “Organization & Users” tab in the Control Panel, so that he can manage user access to Google Apps. You can also further control which actions he has the right to perform. For example, you may give Collin the right to reset passwords, but not to create new user accounts.
With these customizable privileges, Delegated Administration is another way you can tailor Google Apps to your business needs. To get started today:
- Log in to the Google Apps administrator control panel
- Under “Organization and Users,” find and click on the user account to which you wish to grant privileges
- Click the “Privileges” tab
- To make the user a Super Admin select the check box labeled “This user has full administrative rights within this Control Panel.” To restrict the user's access to selected functions the Control Panel, select the check boxes next to the tabs you want the user to access
- Select the specific actions the user is allowed to perform under each tab
- Click “Save changes” to confirm that you want to grant administrator access to the user
We look forward to continuing to make it easier to help Google Apps administrators share tasks across teams and Help Desks.
12 comments:
here i not view super admin control panel.
Great new feature! I'm assuming there are still the issues that these newly granted administrators must have a email login at the primary domain ? It would be nice if this functionality supported granting access to Administrators who were not in the primary domain. i.e.: users who are in a subsidiary account or secondary domain (in a multiple domain configuration).
Great addition!!
We now need the ability to restrict access to certain OUs.
-Dan
This is a much needed feature for administering an enterprise organization. Thanks for providing it! Now ... can you search for all the users to whom you have granted privileges? I don't find a way to do that, and even with careful record-keeping, one would want to reconcile that with reality.
Will the ability to restrict admin tasks to specific groups of users by organization or sub organization going to roll out soon?
This would be really useful.
Thanks
Danny
From a resellers perspective, we need the ability to assign accounts to specific admins. It's not unusual to have account managers for specific organizations for thm admin to manage directly.
Great feature but needs the ability to delegate to non-primary accounts and restrict to certain OU's.
When will this be available to Government Edition?
How do I allow my Helpdesk to reset sign-in cookies?
(Reset cookies and prompt the user to sign in)
They can reset passwords, but where has this feature gone?
Thanks for all the useful feedback.
Delegated Admin is currently aimed at users who have logins in the primary domain.
Overall, we'll look at ways to restrict an Admin's scope to specific sets of users.
Searching for Users Who've been Granted Privileges: Today, an indirect way to do this is via the Admin Audit API. It lets you determine who granted certain Delegated Admin privileges:
http://code.google.com/googleapps/domain/audit_admin/v1/using_api.html
We'll look at more direct ways to get this information.
Delegated Administration should now be available on Government Edition.
The ability to reset cookies is still limited to Super Administrators only, i.e. it cannot be delegated today.
We look forward to iterating and continuing to address valuable user input.
Jaideep Mirchandani
Hi, I'd like to add my support for a feature to allow administrators with sub-organization access only. We have our company split into sub-organiztions by country all under a .com domain and it would be great to allow each country to have their own admin who can only edit the local accounts / users.
Post a Comment
Thank you for sharing your feedback with the Google Enterprise team. We will respond to open issues addressed in Comments with future posts on this blog. We appreciate your interest in Google Enterprise.