Skip to main content
Google’s permissions system gives you fine-grained control over who can see, edit, and administer your workspace and its projects. By combining workspace-level roles with project-level visibility settings and scoped API keys, you can ensure that every team member and every integration has exactly the access it needs — and nothing more.

Role-Based Access Control

Every member of your workspace is assigned one of three roles. These roles govern what actions a member can take across the entire workspace by default.
RoleDescription
AdminFull access to all workspace settings, billing, team management, and every project. Can create, edit, and delete any resource.
EditorCan create and edit projects and records. Cannot access workspace Settings, billing, or manage other members’ roles.
ViewerRead-only access. Can view projects and records they have been granted access to, but cannot create or modify anything.
Admins can customize these roles further at the project level (see Project-Level Permissions below).

Assigning Roles

You can change any team member’s workspace role at any time from the Team settings page.
1

Open Team Settings

Click your avatar in the top-right corner and navigate to Settings → Team.
2

Find the Team Member

Use the search bar to locate the member whose role you want to change, or scroll through the member list.
3

Open the Role Dropdown

Click the current role label next to the member’s name. A dropdown will appear showing the available roles: Admin, Editor, and Viewer.
4

Select the New Role

Choose the desired role. The change is applied immediately — the member will see updated permissions on their next page load or within a few seconds.
5

Confirm the Change

A confirmation banner will appear at the top of the page. If you are demoting an Admin to a lower role, you will be asked to confirm this action to prevent accidental lock-outs.
You cannot change the role of the workspace owner. To transfer ownership, contact Google Support.

Project-Level Permissions

Project visibility settings let you override a member’s workspace role for individual projects. This means a Viewer at the workspace level can be granted Editor access on a specific project, and a project can be hidden entirely from everyone except its direct collaborators. Every project has one of three visibility levels:
VisibilityWho Can See ItWho Can Edit It
PrivateOnly members explicitly added to the projectOnly members with Editor or Admin role on the project
TeamAll workspace membersMembers with Editor or Admin workspace role
PublicAnyone with the link, including unauthenticated usersOnly workspace members with Editor or Admin role
To change a project’s visibility, open the project, click the Settings tab, and update the Visibility field. To add specific members to a Private project, use the Share button and search for their name or email.
Project-level roles always take precedence over workspace roles when they conflict. For example, a workspace Admin added as a Viewer on a private project will only have read access to that project.

API Key Scopes

When creating an API key, you select one or more scopes that define what the key is authorized to do. Limiting scopes to only what is necessary reduces risk if a key is ever compromised.
ScopeDescription
read:allRead all resources across all projects
write:allCreate and update all resources across all projects
adminFull administrative access, including team and settings management
read:dataRead data records only — no access to settings or configuration
write:dataWrite data records only — no access to settings or configuration
Scopes are set at the time of key creation and cannot be changed afterward. If you need to add or remove scopes, revoke the existing key and create a new one with the correct permissions.

Restricting Access

Locking Down Sensitive Projects

For projects containing confidential information, set the visibility to Private and explicitly add only the team members who need access. Review the member list periodically from the project’s Settings → Collaborators tab and remove anyone who no longer requires access.

Revoking a User’s Access

To immediately remove a team member from your workspace:
  1. Go to Settings → Team.
  2. Find the member and click the three-dot menu next to their name.
  3. Select Remove from Workspace.
  4. Confirm the action. The member’s session will be invalidated instantly and they will no longer be able to log in to your workspace.
Removing a member does not delete any records or projects they created. Their content remains in the workspace and is reassigned to the workspace owner.
Follow the principle of least privilege: assign every user and API key the minimum level of access required to do their job. Start with the Viewer role for new members and elevate permissions only when needed. Regularly audit your team list and API key scopes to remove access that is no longer required.