To manage Google users, Workspace ONE requires a Gmail administrator account with specific privileges. Either a super user account or an administrator account with specific privileges can be used.
Note: 1. If you choose to use a super admin account, skip to step 5. 2. Use a service account if you do not want Workspace ONE to change or revoke the admin password from the Google console.
Procedure
- Log into your Google dashboard and navigate to Admin Roles.
- Select Create A NEW ROLE.
The Create New Role form displays.
- Enter the Name and Description for the role, and then select Create.
- On the Privileges tab, select the privileges for the new role.
The required privileges include:
Admin console Privileges
- Organization Units - Read
- Users - Read
- Update - Rename users, Move users, Reset Password, Force Password, Add or Remove Aliases, Suspend Users
- Security - To allow an admin with a custom role to revoke G tokens, enable the User Security Management on both Admin console privileges and Admin API privileges.

- Admin API Privileges
- Organization Units - Read
- Users - Read
- Update - Rename users, Move users, Reset Password, Force Password, Add/Remove Aliases, Suspend Users
- Groups - To allow an admin with a custom role to revoke G tokens, enable the User Security Management on both Admin console privileges and Admin API privileges.

- Select Save.
- Select the Admins tab and then Assign admins to assign the created role to an administrator and then select Confirm Assignment.