This article covers access and data-restriction management for Google Analytics 4 and Universal Analytics. In both versions of Analytics, you manage access by assigning roles. In Google Analytics 4, you manage data restrictions by choosing one or both of the data-restriction options described below. In Universal Analytics, you manage data restrictions by giving users access to different reporting views.
Google Analytics 4
You can manage access and data restrictions at the account and property levels.
To assign roles and data restrictions:
- In Admin, under Account or Property, click Account access management or Property access management.
- Assign roles to new or existing members (e.g., users and groups). Learn how to Add, edit, and delete Analytic users and user groups.
Effective permissions are the roles and data restrictions that a member is assigned via other resources (like the organization, a user group, or an account that includes the current property) plus all the direct permissions assigned explicitly for the current resource.
Direct permissions are role and data restrictions that a member is assigned explicitly for the current resource (e.g., organization, account, property).
Five roles and two data restrictions are available:
| Role | Explanation |
|---|---|
| Administrator | Full control of Analytics. Can manage users (add/delete users, assign any role or data restriction). Can grant full permissions to any user, including themselves, for any account or property for which they have this role. Includes permissions of the Editor role. (Replaces Manage Users permission.) |
| Editor | Full control of settings at the property level. Cannot manage users. (New name for Edit permission.) |
| Marketer | Can create, edit, and delete audiences, events, and key events. Can edit attribution-model settings. Includes permissions of the Analyst role. |
| Analyst | Can create, edit, and delete certain property assets. Can collaborate on shared assets. Includes permissions of the Viewer role. (New name for Collaborate permission.) |
| Viewer | Can see settings and data; can change which data appears in reports (e.g., add comparisons, add a secondary dimension); can see shared assets via the user interface or the APIs. Cannot collaborate on shared assets. For example, shared explorations can be viewed, but not edited, by those with a Viewer role. (New name for Read & Analyze permission.) |
| None | The user has no role for this resource. The user may have a role for another resource. |
| Data restriction | Explanation |
|---|---|
| No Cost Metrics | Cannot see metrics related to cost. Cost metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information. |
| No Revenue Metrics | Cannot see metrics related to revenue. Revenue metrics are unavailable in reports, explorations, audiences, insights, and alerts. See below for more information. |
Cost and revenue metrics
Parent roles are inherited by default (e.g., account > property). For example, when you give a user a role at the account level, that user then has the same role for all the properties in that account.
A user's effective permissions equate to the most-permissive role for that resource.
For example, if a user has the Editor role for the account, then that user has the Editor role for all of the properties in that account, regardless of whether the user is also assigned a less-permissive role for one of the properties.
In addition, if a user is assigned a more-permissive role for a property than the user has at the account level, then that more-permissive role applies for that property.
You can add data restrictions as direct permissions but you cannot remove them if they're in effect as inherited permissions. For example, if a user is assigned No Cost Metrics at the account level, then that user cannot see cost metrics for any property in the account. You could, however, add the No Revenue Metrics restriction for one or more of the properties in the account.
As an administrator, you have a couple of options to see which users have which roles. From the User Management page at the account or property level:
- Search for a specific user name to see that user's roles.
- Click the Account Roles column head to sort the list by roles.
How data restrictions affect other Analytics features
Data restrictions are enforced in both the Analytics interface and analogous Analytics API calls.
Data restrictions are created and applied via Analytics access management. Users may not be subject to these restrictions if they have permissions for Analytics based on permissions in other Google products that are linked to Analytics.
| Feature | Effect | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reports | Restricted metric values and values derived from restricted metrics do not appear in reports. Users see 0 instead. Restricted metrics are available in metric pickers associated with reports (e.g., when customizing a report). Users subject to data restrictions can add those metrics, but cannot view the results (e.g., can add the metrics to custom reports, but cannot see the metric values in those reports). | ||||||||||||||||||
| Explorations | Restricted metrics do not appear in explorations. Restricted metrics are available in metric pickers associated with explorations (e.g., when creating an exploration). Users subject to data restrictions can add those metrics, but cannot view the results (e.g,, can add the metrics to explorations, but cannot see the metric values in those explorations). | ||||||||||||||||||
| Audiences | Restricted metrics are available in metric pickers associated with audiences. Users subject to data restrictions can create audiences based on restricted metrics and edit audience names after creation, but those users are subject to the limitations listed below. Cannot use an audience (e.g., as a dimension filter) that includes restricted metrics. Cannot see audience count for audiences that include restricted metrics. Cannot add audience triggers to audiences based on restricted metrics. | ||||||||||||||||||
| Automated insights | Cannot see automated insights based on restricted metrics in the user interface. | ||||||||||||||||||
| Custom insights | Users with permission can create and edit custom insights based on restricted metrics. Cannot see custom insights in the user interface and cannot receive them via email. | ||||||||||||||||||
| Custom metrics | Users with permission can create custom metrics and indicate that those metrics include cost or revenue data. Users with corresponding data restrictions are not able to remove indications that custom metrics include cost or revenue data. Access to those custom metrics is subject to all the limitations listed in this article. | ||||||||||||||||||
| Analytics-Firebase linking | Firebase project users are automatically granted Analytics roles when you link a Firebase project to an Analytics property:
In Analytics access management, each Firebase virtual user represents a group of users in the linked Firebase project. As an Analytics Administrator, you can change the Analytics role and data restrictions that are assigned to a property's Firebase virtual users. If you change the Analytics role and data restrictions assigned to a Firebase virtual user, you affect everyone in the Firebase project that is assigned to that virtual user The role assignments and data restrictions persist until the link between the Firebase project and the Analytics property is deleted. Analytics Administrators can edit access for the Firebase roles in Admin > linked property > Property Access Management. If you linked your Firebase project to a Google Analytics 4 property before January 4, 2023, the Firebase linked users may have different roles and data access in Analytics than described in the table above. | ||||||||||||||||||
| Analytics-Ads linking | Google Ads users are automatically granted Analytics roles when you link a Google Ads account to an Analytics property. You can manage access to allow Google Ads users to use Analytics features from within Google Ads, such as creating Analytics audiences from Google Ads.
In Analytics access management, each Google Ads linked user represents a group of users in the linked Google Ads account. As an Analytics Administrator, you can change the Analytics role and data restrictions that are assigned to a property’s Google Ads linked users. If you change the Analytics role and data restrictions assigned to a Google Ads linked user, you affect everyone in the Google Ads account that is assigned to that linked user. The role assignments and data restrictions persist until the link between the Google Ads account and the Analytics property is deleted. As an Analytics Administrator, you can view and edit access for Google Ads linked users in Admin > linked property > Google Ads Links. You can also configure their access just as you would for any user. |
To see which users have which roles, you have a couple of options. From the Account Access Management page at the account or property level:
- Search for a specific user name to see that user's permissions.
- Click the Account Permissions column head to sort the list by permissions.
Universal Analytics
You can assign user permissions In Analytics at the account, property, and view levels.
To assign permissions:
- Click Admin.
- Click Access Management in the Account, Property, or View column.
- Assign roles to new or existing members (e.g., users and groups). Learn more about adding and editing users.
Effective permissions are the roles and data restrictions that a member is assigned via other resources (like the organization, a user group, or an account that includes the current property) plus all the direct permissions assigned explicitly for the current resource.
Direct permissions are role and data restrictions that a member is assigned explicitly for the current resource (e.g., organization, account, property).
Five roles and two data restrictions are available:
| Role | Explanation |
|---|---|
| Administrator | Full control of Analytics. Can manage users (add/delete users, assign any role or data restriction). Can grant full permissions to any user, including themselves, for any account or property for which they have this role. Includes Editor role. (Replaces Manage Users permission.) |
| Editor | Full control of settings at the property level. Cannot manage users. (New name for Edit permission.) |
| Marketer | Functionally the same the Analyst role in Universal Analytics. |
| Analyst | Can create, edit, delete, and share property assets. Can collaborate on shared assets. Includes Viewer role. (New name for Collaborate permission.) |
| Viewer | Can see report and configuration data; can manipulate data within reports (e.g., add comparisons, add a secondary dimension); can create personal assets, and share them, and see shared assets via the user interface or the APIs. Cannot collaborate on shared assets. (New name for Read & Analyze permission.) |
| None | The user has no role for this object. The user may have a role for another object. |
As an administrator, you have a couple of options to see which users have which roles. From the Account Access Management page at the account, property, or view level:
- Search for a specific user name to see that user's permissions.
- Click the Account Permissions column head to sort the list by permissions.