Role-Based Access Control
Every member of your workspace is assigned one of three roles. These roles govern what actions a member can take across the entire workspace by default.| Role | Description |
|---|---|
| Admin | Full access to all workspace settings, billing, team management, and every project. Can create, edit, and delete any resource. |
| Editor | Can create and edit projects and records. Cannot access workspace Settings, billing, or manage other members’ roles. |
| Viewer | Read-only access. Can view projects and records they have been granted access to, but cannot create or modify anything. |
Assigning Roles
You can change any team member’s workspace role at any time from the Team settings page.Find the Team Member
Use the search bar to locate the member whose role you want to change, or scroll through the member list.
Open the Role Dropdown
Click the current role label next to the member’s name. A dropdown will appear showing the available roles: Admin, Editor, and Viewer.
Select the New Role
Choose the desired role. The change is applied immediately — the member will see updated permissions on their next page load or within a few seconds.
You cannot change the role of the workspace owner. To transfer ownership, contact Google Support.
Project-Level Permissions
Project visibility settings let you override a member’s workspace role for individual projects. This means a Viewer at the workspace level can be granted Editor access on a specific project, and a project can be hidden entirely from everyone except its direct collaborators. Every project has one of three visibility levels:| Visibility | Who Can See It | Who Can Edit It |
|---|---|---|
| Private | Only members explicitly added to the project | Only members with Editor or Admin role on the project |
| Team | All workspace members | Members with Editor or Admin workspace role |
| Public | Anyone with the link, including unauthenticated users | Only workspace members with Editor or Admin role |
Project-level roles always take precedence over workspace roles when they conflict. For example, a workspace Admin added as a Viewer on a private project will only have read access to that project.
API Key Scopes
When creating an API key, you select one or more scopes that define what the key is authorized to do. Limiting scopes to only what is necessary reduces risk if a key is ever compromised.| Scope | Description |
|---|---|
read:all | Read all resources across all projects |
write:all | Create and update all resources across all projects |
admin | Full administrative access, including team and settings management |
read:data | Read data records only — no access to settings or configuration |
write:data | Write data records only — no access to settings or configuration |
Restricting Access
Locking Down Sensitive Projects
For projects containing confidential information, set the visibility to Private and explicitly add only the team members who need access. Review the member list periodically from the project’s Settings → Collaborators tab and remove anyone who no longer requires access.Revoking a User’s Access
To immediately remove a team member from your workspace:- Go to Settings → Team.
- Find the member and click the three-dot menu next to their name.
- Select Remove from Workspace.
- Confirm the action. The member’s session will be invalidated instantly and they will no longer be able to log in to your workspace.