Who Has Admin Access? How to Audit Google Workspace Roles

If you manage a Google Workspace with more than a handful of admins, you've probably asked yourself: who actually has admin access, and what can they do? The native Admin Console makes it surprisingly hard to answer that question. You can view individual roles, and you can view individual users, but there's no way to see the full picture — all roles across all users, in one place.

Most organizations discover their admin role situation is messier than they thought. People get promoted, change teams, or take on temporary responsibilities, and their admin privileges follow them. Six months later, nobody remembers who was granted User Management Admin for that onboarding project, or why three people have Super Admin when the policy says two.

This is privilege creep, and it's one of the most common security gaps in Google Workspace.

Why the Admin Console Falls Short

Google Workspace supports dozens of admin roles — Super Admin, Groups Admin, User Management Admin, Help Desk Admin, plus any custom roles your organization has created. Each role grants a specific set of privileges, and each can be scoped to the entire organization or restricted to specific organizational units.

The Admin Console lets you click into each role individually to see its members, or click into each user to see their roles. For an organization with 15 roles and 200 users, that means dozens of clicks just to build a basic picture. There's no export, no comparison view, and no way to see which users have overlapping privileges.

This makes periodic access reviews — something most security frameworks require — tedious enough that they rarely happen. And when they don't happen, privilege creep goes unchecked.

Two Ways to Audit

MonitorWorkspace now gives you two complementary views of admin roles in a single dashboard:

By User — Select any admin user and see every role assigned to them in one glance. Super admins, delegated admins, custom roles — all listed with their privilege counts and scope (organization-wide or restricted to specific OUs).

This view answers: What can this person do?

By Role — Select any role and see every user assigned to it, along with the total privilege count and member count. This makes it easy to spot roles with unexpectedly many members, or critical roles where membership should be tightly controlled.

This view answers: Who can perform this action?

Together, they give you a complete matrix of admin access without the manual clicking.

What a First Audit Typically Reveals

We've found that a typical first audit surfaces surprises that have been hiding in plain sight:

Former team leads who still have User Management Admin from when they ran onboarding six months ago. They changed roles but nobody revoked the privilege.
Custom roles created for a one-time project that were never cleaned up. They're still granting access to sensitive settings even though the project ended.
Super Admin sprawl — more people with full admin access than the organization intended. Super Admin is the most powerful role in Workspace, and many orgs have twice as many as their policy allows.
Orphaned scoped assignments — roles that were restricted to a specific OU that no longer exists or has been restructured.
Overlapping privileges — users with multiple roles that grant the same permissions, making it unclear which role they actually need.

Any of these can be a finding in a security audit. More importantly, each one represents unnecessary attack surface.

How It Works

Go to your MonitorWorkspace dashboard and click the Roles tab. Click Scan Roles to sync your organization's roles and assignments from the Google Admin SDK. The scan takes a few seconds and shows you summary stats at the top: total roles, total admin users, and super admin count.

From there you can:

Switch between By User and By Role views to explore the data from either angle.
Search and filter to find specific users or roles.
View privilege counts for each role to understand the scope of access it grants.
Check assignment scope — see whether a role applies to the entire organization or is restricted to specific OUs.

Role data is cached and auto-refreshes weekly, but you can trigger a manual rescan anytime after making changes in the Admin Console.

Building a Regular Review Process

An audit is most valuable when it's repeated. Here's a practical cadence:

Run your first scan to establish a baseline. Note the Super Admin count and total admin user count.
Review monthly — rescan and compare. New assignments should have a clear justification.
After org changes — when teams restructure, people leave, or projects end, rescan to catch stale assignments.
Before compliance reviews — run a fresh scan so you have current data for auditors.

The goal isn't zero admin roles — it's making sure every assignment is intentional and current.

Related: Safer Email Transfers

Role auditing pairs well with our other new feature — email transfer dry runs. Preview exactly how many emails will transfer before committing, with smarter filters to skip newsletters, duplicates, and noise. Both features are about seeing before you act.

If you're building an offboarding process, our complete offboarding checklist covers every step from email transfers to license reclamation. And for a deeper dive into what admin roles mean in practice, see our admin role audit use case.

Getting Started

Admin role auditing is available now for Pro plan subscribers and above. If you're on the free plan, you can still see the Roles tab to preview the interface.

Go to Dashboard, click the Roles tab, and run your first scan. It takes ten seconds to see what's been hiding in your admin role assignments.

Free for up to 10 users. No credit card required.