If you’re interested in cloud solutions, you probably know that Google Workspace is a suite of applications designed for efficient office work and communication among team members. What you might not know is how much access a service administrator has. If you are a Google Workspace admin, you may also wonder if the access you have will allow you to maintain control over your company data and ensure security. Let’s find out.
Table of contents
What is the Google’s admin console?
The admin console is an application that allows you to manage the corporate Google Workspace package. Only an admin, a user with special permissions and an administrator account, can use the admin console. You can sign in to an admin console at admin.google.com.
An administrator can manage services included in the Google package. They can add users and remove user accounts, assign roles, configure devices, enforce two-step verification, analyse billing, and more. The scope of the admin control can vary. A super admin, for instance, has privileges no other use has. We’ll get to that in the latter part of the article.
Administrator data control
Through the Google admin console, an administrator can manage all the tools available in the package. To make their work easier, key settings for each Google Workspace service should be configured immediately after deployment.
One of the most crucial functions of the admin console is data control. A Google admin can generate reports with a wealth of information. These reports allow them to spot potential threats, verify configuration issues, analyse the actions of individual users, and monitor the activity of other admins. Let’s look at some basic and commonly used actions that Google Workspace service administrators employ in their daily work.
If you’re not comfortable configuring the admin console on your own, FOTC technicians will be happy to do it for you. Contact us to determine the best solutions together.
Organisational units
After the initial sign-in to Google Workspace, an admin will notice that all users are in one organisational unit. This is the highest-level unit. However, you should create smaller units in the admin console that correspond to your company’s organisational structure.
You can create any number of units – they can be equivalent or set up in a hierarchical manner. Then, assign users to each unit. This enables group permissions for users within specific departments.
Bulk permission assignment
For instance, you might want your employees to have restricted access to social media. However, these services are essential for the marketing department. In this case, you block the appropriate websites for the entire company (top-level unit), and then lift this restriction for the Marketing Department unit. Importantly, all subordinate units (and their assigned users) inherit this setting.
Data on drives
Virtually every company stores sensitive data on drives. Sometimes, this data should not leave the organisation, or even be accessible to most employees. In such cases, use the Google admin console to block specific drives or folders and set up additional alerts. You can receive notifications whenever someone views files considered sensitive, makes changes to it, or tries to send it outside the company. Also, remember that a Google Workspace admin can easily generate a report listing all docs shared outside the organisation.
Application settings configuration
The admin console also contains a section for managing applications. There are numerous options in this area. For instance, you can disable specific Google apps for individual units.
But that’s not all. Each Google Workspace service has a number of settings in the console that admins can control to serve the needs of their business. For instance: setting up additional anti-spam filters in Gmail or disabling users’ ability to create shared drives in Google Drive.
Security settings
Admin control of Google Workspace data primarily serves to maintain security. Therefore, this section in the console is quite extensive.
The extent of data control by a Google admin is larger the higher the Google Workspace package your company uses. But even in the basic version, you have a powerful set of data security tools at your disposal.
Experts estimate that by 2025, up to 99% of cloud security incidents will result from user errors. If you’re unsure about the adequacy of your company’s data protection, we can help you verify it. FOTC offers a Google Workspace security audit that involves a detailed examination of your Google Workspace instance settings to assess its protection against data leaks, cyber attacks, and dishonest employee activities. Within this service, we analyse over 150 risk points in eight key areas.
Password strength determination
An administrator can also set the strength of passwords that all users in the organisation must use when logging into their Google accounts. They can also set a time period after which the user will have to set a new one.
Two-step verification
From the console, administrators can enforce two-step verification for user account logins. In such cases, to log into their account, users also perform an additional action, such as using security keys, SMS codes, or Google notifications.
Device control
Administrators can also manage all company devices, including laptops, desktop computers, and mobile phones (endpoints) from the console. This ensures data security against unauthorised access.
As a Google admin, you can decide, for instance, which endpoints (computers, phones) can access company data. You can also generate a report showing which devices users are logged into their company accounts. If, for example, a private device is being used, an administrator might want to block it and remotely log the user out. Regular analyses in this area help control who has access to the company’s data and from where.
Super admin and other roles
Managing the Google Workspace package doesn’t have to be the responsibility of just one person. The admin role can be assigned to multiple users. Importantly, each of these individuals can have different permissions and privileges.
A super admin is someone who can perform all available actions in the admin console. However, you can also designate administrators with appropriately limited permissions. For example, they might only be able to reset passwords, set up services, or manage accounts within a specific organisational unit.
To facilitate this, Google has predefined admin roles. If these roles match your needs, you can assign a ready-made admin role to a user. If that’s not sufficient, you can create custom roles with permissions tailored to your organisational needs.
Google administrator and data control – FAQs from employees
Can a Google Workspace administrator see my emails?
Yes. Within Google Workspace, administrators have significant capabilities when it comes to analysing users’ email boxes. Through the admin console, they can not only check who sent a particular message and when, but also what happened to incoming messages. The administrator’s report provides information such as whether an employee read, deleted, archived, or forwarded a message, and which documents were attached to it.
This data is available for up to 30 days, even if the message is deleted. Moreover, if the company uses Google Vault for archiving user correspondence, access to such data is practically unlimited in time. This application also allows the administrator to review the content of messages even if they’ve been deleted.
FOTC offers longer tests, cheaper packages, and 24/7 support.
Can a company admin view my browsing history in Chrome?
No. An admin can block access to specific websites from the corporate account but cannot see the history of sites viewed in the browser. Similarly, the same applies to the YouTube application – the history of videos viewed by the user is not accessible from the console.
At the same time, remember that an administrator can reset the password for any Google Workspace user account and then set a new one. After logging into that account, they will have access to all the information the user can see.
