As a super administrator or reseller, you can define the context within which other admins can access the Google Admin console by assigning Context-Aware access levels to the Admin console.
Note: Do not assign access levels to the Admin console unless you specifically need to limit access to the Admin console by other admins. For details on assigning access levels to apps, go to Assign Context-Aware Access levels to apps.
This article outlines how to:
- Assign and update these access levels.
- Avoid unintentionally locking oneself or other admins out of the Admin console.
- Respond, should a lockout occur.
Before you begin
Understand possible lockout scenarios:
- Admins can mistakenly configure an access level to an IP subnet belonging to someone else, then apply this access level to the Admin console.
- Or, they might apply an outdated access level to the Admin console. This situation can occur if the access level requires a company-owned device and the admin switches from using one of these devices to a personal device.
Avoid a lockout
- Review access levels that you intend to apply to the Admin console. Be sure that at least one admin meets criteria for access.
- Create a new access level, if needed. You can ensure access conditions are met by curating an access level that you know meets conditions.
- Notice the messages that you receive while you’re adding or editing access levels in the Admin console. These messages help you determine your next step to avoid a lockout.
-
Apply policies to configuration groups, which can act as a container for access levels.
- You create a configuration group and assign access levels for apps.
- Then, you add user groups as members of the configuration group that don’t have applied to them whichever policy is causing the lockout.
For details, see Customize Context-Aware access with groups.
Ensure access to support in the event of a lockout
First, verify that you, the designated super admin, or whichever admin is the support contact can access the Google Customer Care Portal.
If needed, follow the steps to Give users access to the Customer Care Portal.
For added security, use 2-Step Verification for admins who can access the Customer Care Portal. For details, go to Protect your business with 2-Step Verification.
Working with Admin console access levels
Open all | Close all
The system works to prevent admin lockout when you perform or attempt these tasks:
-
Sign in with an
administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- From the Admin console homepage, go to Security > Access and data control > Context-Aware Access.
- Find Admin console at the top of the application list and click Assign.
- Select one or more access levels for the Admin console.
Access is granted to the Admin console if an admin meets the conditions specified in:
- One of the access levels you select—It’s a logical OR of the access levels in the list.
- More than one access level—Create an access level that contains multiple access levels using a logical AND.
- Click Save.
The system displays a progress bar while it verifies that the access level conditions do not lock any admins out. If you:
- Meet the conditions in at least one of the selected access levels—You applied the access successfully. The Assign Access Levels page shows that the access level applies.
- Do not meet the conditions of at least one of the selected access levels—The access level does not apply. After you click Save and the system attempts verification, you see this message: You can’t assign these access levels because you currently don’t meet any of these conditions, and would lose access to the Admin console.
There are restrictions on editing access levels that are assigned to the Admin console.
-
Sign in with an
administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
- Click Access Levels.
- Click an existing access level.
When you try to edit an access level that is assigned to the Admin console, you can edit its name and description, but not conditions. Attempting to do so prompts this error message: You can’t edit the conditions of this access level because it’s currently assigned to the Admin console and changes may impact another admin’s ability to access it. To edit the conditions, first unassign from the Admin console.
You can only delete access levels if doing so does not block access.
-
Sign in with an
administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
- Click Access Levels.
- Click an existing access level.
- Click Delete Access Level.
This message appears during validation: Delete access level? It’ll no longer be available in the Admin console (and in Google Cloud and the Cloud SDK, if applicable). It’ll also be removed from all apps it’s currently assigned to. Deleting this access level may impact another admin's ability to access the Admin console.
- You can delete the access level—To do so, click Confirm.
- You can’t delete the access level—Doing so would cause loss of access to the Admin console. This message appears after validation: Can't delete access level.
If you are an admin who isn’t a super admin, your attempts to delete access levels result in the message that Only super admins can delete access levels that are assigned to the Admin console. In this case, talk to the super admin or reseller about deleting access levels.
The system helps prevent you from reordering group prioritization, affecting Admin console access in the process. Any attempts to reorder groups in such a way result in the message that You can’t change the group order because doing so would result in your losing access to the Admin console.
If you are an admin who isn’t a super administrator, trying to reorder groups results in this message: You need additional administrator privileges to change the group order. In this case, talk to the super admin or reseller about reordering groups.
Contact support if you’re locked out
In the case of a total lockout, contact Google support through the Customer Care Portal.
To restore access, support removes Context-Aware access policies in the Admin console. This action doesn’t affect Context-Aware access policies for other applications (for example, Gmail or Google Calendar).
Important: Reapply the policies immediately after support removes them.
Related information
