Last updated: January 29, 2024
With the advent of the new Google Analytics platform, making sure that you have user governance best practices in place should still be a priority so that you can ensure that the data can be accessed by only those that need the access, when they need it. User and data access management in Google Analytics, whether for Universal or for Google Analytics 4 (GA4), continues to be a feature that allows administrators to easily and effectively provision access. In a world where there is an increased need for security and privacy, users will need to be able to quickly understand and leverage GA4’s flexible and streamlined access and data-restriction features.
We’ll take a look at what roles are available in GA4 and how you can best use them within your organization.
Google Analytics 4 Account Structure
Let’s very briefly review the GA4 account structure.
Accounts
At its highest level, a GA4 account operates under a single entity or organization and acts as a container for multiple properties. The account is governed by region-specific terms of service . Under the account, you can adjust data sharing settings to, for example, enable technical support as well as view the Product & Services and Data Processing terms. You can also specify user roles and settings, view all filters configured for all properties, and review account change logs.
Properties
All properties fall under the account, and can be representative of specific sites, user bases, mobile apps, brands, product lines, etc. For example, a financial institution might have different lines of business, such as small business banking, consumer banking, and insurance. Each of these lines may be tracked under a different property, but all under the same account. Property configurations include setting locale and vertical, provisioning user access, defining data streams, defining various data collection settings, and linking to various Google products, such as Ads and BigQuery.
Google Analytics 4 Roles and Permissions
Several roles are available under both Accounts and Properties. If a user’s access at the account level is greater than their access at the property level, then the property access will inherit the account access (ie. the account access takes precedence over the property access). If a user’s property access is greater than the account access, then that property’s access will take precedence over the account access but only for that particular property. In other words, the more permissive role will take precedence for the particular resource. A role will always include the permissions of the role below it. For example, the Editor role will include all of the permissions of the Analyst role.
Administrator
Administrators have full control within the account or property to which they have access. Full control includes being able add or remove users and assign roles and data restrictions, including to themselves, to any account or property that they are an administrator for.
Editor
Editors have full control at the account or property level. They can adjust access permissions but cannot add or remove users.
Marketer
Marketers can create, modify, and delete configurations including audiences, conversions, attribution models, events, and conversion windows.
Analyst
Analysts can create, modify, and delete account or property assets, such as dashboards and explorations, and can collaborate on shared assets.
Viewer
Viewers can see report data and account or property settings. They can also see shared assets, but they cannot collaborate on them.
None
No access is given to the user for the particular account or property.
Google Analytics 4 Data Restrictions
Data Restrictions are provisioned under each account and property, along with the roles explained above. Data Restrictions allow you to configure whether a user can see metrics related to cost or revenue, and they are created and applied through access management. The two options for data restrictions include:
No Cost Metrics
User is restricted from seeing cost metrics in reports, explorations, audiences, insights, and alerts.
No Revenue Metrics
User is restricted from seeing revenue metrics in reports, explorations, audiences, insights and alerts.
Data Restrictions can be added directly at the account or property level, but they cannot be removed if they are inherited. For example, if a user is assigned “No Revenue Metrics” at the account level, then that user cannot see revenue metrics for any property in the account. “No Cost Metrics” could, however, be set for one or more of the properties in the account.
These restrictions may not apply if a user has received permissions for Google Analytics based on permissions in other Google products that are linked to Google Analytics.
Google Analytics 4 User Groups
User Groups are groupings of users that can be concurrently given permissions, at scale, for a particular account or property within the organization, or to the organization itself, simplifying the user provisioning and management process. Members assigned to the group inherit the group’s permissions, on top of any individual permissions that they have previously received.
It is possible to have nested user groups, which may be particularly useful for modeling complex organizational hierarchies. For example, an organization might have an all-employee user group, within which there may also be a Marketing Staff user group, a Technical Staff user group, and a Security Staff user group.
The benefit of using user groups is to allow for alignment of users, organizational structures, and permissions.
Google Analytics 4 User Access Best practices
Whether your organization is well on its way to transitioning from Universal Analytics to Google Analytics 4, or if it’s about to engage in that process, it’s never too late to start thinking about implementing best practices for user organization and access management. Here are some key things to consider, especially as data privacy and user security have taken a spotlight on the analytics stage:
- Ensure that you have at least two trusted individuals that are assigned as Account-level administrators.
- If one person leaves or is unreachable, you have another admin available.
- Have only corporate accounts used for administration and access, as opposed to personal accounts and email addresses (eg. Gmail).
- If an administrator or key individual leaves and only had access via a personal account, then they could still potentially continue accessing data after they have left.
- Limit access for individuals and/or teams to the account, property, or view that is applicable to them.
- Not everyone needs access to all the accounts or properties or views.
- Certain teams will only need to see very specific reports within specific properties.
- Limit level of access for individuals to edit or view only.
- “Manage users” access should be restricted to top level admins.
- For day-to-day use, people should be granted specific rights based on their need (do they need to create and share assets, or do they only need to build reports, etc.).
Conclusion
User governance should be a sensitive topic in every organization. Having the proper types of roles, and being able to easily and quickly manage users and provision access, at scale, goes a long way to help ensure that your users are only accessing what they need, when they need it. The new Google Analytics 4 platform continues to offer great features and controls to help your organization ensure that they are able to audit and adjust their users’ permissions in line with their security policies.
Check back here for updates on new and exciting features that will continue to improve your user and data access management. In the meantime, to learn more about the move to GA4, take a look at our Beginner’s Guide to Google Analytics 4.
Three-Part GA4 Training Series
The shift to GA4 is much more involved than a simple UI change; it is a complete measurement paradigm shift. Learn how to plan your adoption roadmap, integrate across the Google tech stack, and more.