Set Delegated Admin Privileges for Gopher for Chrome Users

Video: Gopher for Chrome: Set delegated admin access

How to view video closed captions and transcripts

Note: Gopher for Chrome cannot be used by gmail.com users. To access Gopher for Chrome, you must be logged in as a Google Workspace user.

Gopher for Chrome users can be either super admin or delegated admin users. Those users who are not super admins but are Gopher for Chrome users need to have delegated admin permissions. We’ll do this by creating two admin roles, one with domain-wide permissions for looking up user information when running device reports and another with per-organization permissions limiting view/edit rights on devices within Gopher for Chrome to only those OUs you want the user to manage. You must be a super administrator to create these roles.

For a Google Workspace user to access Gopher for Chrome, they must either be a super administrator or a delegated administrator with the following privileges:

  • Admin console privileges > Users > Read for ALL organizations
  • Admin API privileges > Organization Units > Read for SELECTED organizations
  • Admin API privileges > Chrome OS > Manage devices for SELECTED organizations

Note: When running as a delegated admin, the device cache, used for search and reporting within Gopher for Chrome, is limited to the subset of devices to which the user has access.

ou-scoped22.png

Define Delegated Admin Roles

To accomplish this OU-scoped access, we recommend defining two roles for Gopher for Chrome: 

  • Gopher for Chrome - User Access (Domain Wide Permissions)
  • Gopher for Chrome - Device & OU Access (per OU Settings)

The Gopher for Chrome -  User Access (Domain Wide Permissions)

This role is assigned to the user at the root (ALL organizations). Here we create the role and assign users to the role. 

  1. In the Admin console, navigate to Account > Admin roles.
  2. In the Roles list, click Create new role, located at the top left. 
  3. In the stepper, enter the role name: Gopher for Chrome - User Access (Domain Wide Permissions).
  4. Click Continue to go to Select Privileges.
  5. Scroll down to the Admin API privileges section.
  6. For Admin API Privileges > Users, check the Read checkbox.
    This privilege is used to look up user information when running device reports.  Device users may reside in any OU on the domain, so setting this to root will avoid errors in the tool.
    DelegatedUserRead.png
  7. Click Continue to go to Review Privileges.
  8. Click Create Role. The page shows the added role and it's privileges. 
  9. At the top of the page, click Assign members.
    DelegatedAssignMembers.png
  10. Search for and select the proper user.
  11. For the Organizational unit, select the Root.
  12. Click Assign Role. The user appears in the list of admins.

The Gopher for Chrome - Device & OU Access 

This role is assigned to the user for only the appropriate org units. Here we create the role and assign users to the role. 

  1. In the Admin console, navigate to Account > Admin roles.
  2. In the Role list, click Create new role, located at the top left.  
  3. In the stepper, enter the role name: Gopher for Chrome - Device & OU Access (per OU Settings).
  4. Click Continue.
  5. Scroll down to the Admin API privileges section.
  6. Under Admin API Privileges > Organizational Units, check the Read checkbox.
    This privilege is used to scope available OU lists and view/edit rights on devices within Gopher for Chrome to only those OUs you want the user to manage. DelegatedAdminOURead.png
  7. Under Admin Console Privileges > Services > Chrome Management, check the Manage Chrome OS Devices checkbox.
    Used to scope device management rights to only those OUs you want the user able to control.
    DelegatedAdminChromeMgmnt.png
  8. Click Continue.
  9. Click Create Role. The page shows the added role and it's privileges. 
  10. At the top of the page, click Assign members.
    DelegatedAssignMembers.png
  11. Search for and select the proper user.
  12. For the Organizational unit, select the OUs needed.
  13. Click Assign Role. The user appears in the list of admins.

Assign Users to the Roles

Now that you have the roles created, and assigned a user you can assign additional users the the roles when needed. 

  1. In the Admin console, navigate to Account > Admin roles.
  2. In the Role list, hover over the role, then select Assign Admin.
  3. Click Assign members at the top of the grid.
  4. Search for and select the proper user.
  5. For the Organizational unit, select the OUs needed.
    Gopher for Chrome - User Access (Domain Wide Permissions) - Root
    Gopher for Chrome - Device & OU Access (per OU Settings) - Specific OUs
  6. Click Assign Role. The user appears in the list of admins.

 

Document Version Date Description of Change
1.0 8/20/2024 Text update, image update, reverify

 

Articles in this section