BetaJoin our early access program — 1 year free for founding members.Apply Now →
Technical
5 min read

Who Has Admin Access? How to Audit Google Workspace Roles

Most organizations can't answer who has admin access and why. Here's how to audit every role assignment in Google Workspace and fix privilege creep.

admin-rolessecuritygoogle-workspacecompliance

Quick test: without opening the Admin Console, can you name every person in your organization who has Super Admin access? How about User Management Admin? Groups Admin?

If you had to pause — even for a second — you have a privilege creep problem. And you're in good company. Most organizations discover they have 2-3x more admin accounts than they thought, including former employees and temporary assignments from projects that ended months ago.

Google Workspace makes it easy to grant admin access and hard to track who has what. You can click into individual roles. You can click into individual users. But there's no view that shows you the full picture — all roles across all users, in one place. So the assignments pile up, and nobody notices until an auditor asks.

Why the Admin Console Falls Short

Google Workspace supports dozens of admin roles — Super Admin, Groups Admin, User Management Admin, Help Desk Admin, plus any custom roles your organization has created. Each role grants a specific set of privileges, and each can be scoped to the entire organization or restricted to specific organizational units.

The Admin Console lets you click into each role individually to see its members, or click into each user to see their roles. For an organization with 15 roles and 200 users, that means dozens of clicks just to build a basic picture. There's no export, no comparison view, and no way to see which users have overlapping privileges.

This makes periodic access reviews — something most security frameworks require — tedious enough that they rarely happen. And when they don't happen, privilege creep goes unchecked.

Two Ways to Audit

MonitorWorkspace now gives you two complementary views of admin roles in a single dashboard:

By User — Select any admin user and see every role assigned to them in one glance. Super admins, delegated admins, custom roles — all listed with their privilege counts and scope (organization-wide or restricted to specific OUs).

This view answers: What can this person do?

By Role — Select any role and see every user assigned to it, along with the total privilege count and member count. This makes it easy to spot roles with unexpectedly many members, or critical roles where membership should be tightly controlled.

This view answers: Who can perform this action?

Together, they give you a complete matrix of admin access without the manual clicking.

What a First Audit Usually Uncovers

The first audit is always the most interesting one. Here's what tends to surface:

  • Former team leads who still have User Management Admin from when they ran onboarding six months ago. They changed roles but nobody revoked the privilege.
  • Custom roles created for a one-time project that were never cleaned up. They're still granting access to sensitive settings even though the project ended.
  • Super Admin sprawl — more people with full admin access than the organization intended. Super Admin is the most powerful role in Workspace, and many orgs have twice as many as their policy allows.
  • Orphaned scoped assignments — roles that were restricted to a specific OU that no longer exists or has been restructured.
  • Overlapping privileges — users with multiple roles that grant the same permissions, making it unclear which role they actually need.

Any of these can be a finding in a security audit. More importantly, each one represents unnecessary attack surface.

How It Works

Go to your MonitorWorkspace dashboard and click the Roles tab. Click Scan Roles to sync your organization's roles and assignments from the Google Admin SDK. The scan takes a few seconds and shows you summary stats at the top: total roles, total admin users, and super admin count.

From there you can:

  • Switch between By User and By Role views to explore the data from either angle.
  • Search and filter to find specific users or roles.
  • View privilege counts for each role to understand the scope of access it grants.
  • Check assignment scope — see whether a role applies to the entire organization or is restricted to specific OUs.

Role data is cached and auto-refreshes weekly, but you can trigger a manual rescan anytime after making changes in the Admin Console.

Building a Regular Review Process

An audit is most valuable when it's repeated. Here's a practical cadence:

  1. Run your first scan to establish a baseline. Note the Super Admin count and total admin user count.
  2. Review monthly — rescan and compare. New assignments should have a clear justification.
  3. After org changes — when teams restructure, people leave, or projects end, rescan to catch stale assignments.
  4. Before compliance reviews — run a fresh scan so you have current data for auditors.

The goal isn't zero admin roles — it's making sure every assignment is intentional and current. If you need to formalize this into a broader compliance process, the periodic access reviews guide covers the full quarterly review workflow — admin roles, groups, licenses, and OAuth apps.

What Comes After the Audit

Fixing admin roles is usually step one of a broader cleanup. Once you've tightened access, the natural next questions are: what about email transfers during offboarding? (You can preview exactly how many emails will move before committing.) What about the full offboarding process? And for a deeper look at what each role actually grants, the admin role audit use case page has the detailed breakdown.

Go to your dashboard, click the Roles tab, run a scan. Ten seconds. You'll either feel great about your admin hygiene or have a very productive afternoon.

Ready to simplify Google Workspace management?

Free for up to 10 users. Setup in 10 minutes. No credit card required.

Join the BetaRead More Articles