Summary and recommendation
Google Analytics user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Google Analytics 4 manages access through a hierarchical role-based model spanning three levels: Organization, Account, and Property. Roles assigned at a higher level inherit downward unless explicitly overridden at a lower level using the 'None' role.
There are five predefined roles - Administrator, Editor, Marketer, Analyst, and Viewer - with no custom roles available at any tier.
GA4 Standard is free and covers the full role structure for most teams. GA4 360 adds enterprise-scale event quotas, sub-properties, rollup properties, and user groups, but billing is event-volume-based, not per-seat - adding or removing users has no direct billing impact at either tier.
Quick facts
| Admin console path | Admin → Account or Property → Account Access Management / Property Access Management |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Google Cloud Organization |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full control: manage users, edit settings, view reports, manage all account or property configurations. At account level, inherits down to all properties. | Cannot exceed Google's 400-user limit per account/property without removing existing users. | Free (GA4 Standard) | No per-seat cost | Account-level Administrator role automatically grants Administrator access to all properties under that account. Granting this role broadly is a common over-provisioning risk. |
| Editor | Edit property settings, create and edit data streams, manage integrations, view all reports. Cannot manage users. | Cannot add, remove, or change user roles. Cannot manage account-level settings. | Free (GA4 Standard) | No per-seat cost | Editor cannot manage users at any level, so they cannot self-provision access for teammates. |
| Marketer | Create and edit audiences, conversions, attribution models, and events. View all reports. | Cannot edit property settings, manage users, or manage data streams. | Free (GA4 Standard) | No per-seat cost | Marketer role is GA4-specific and does not exist in Universal Analytics; teams migrating from UA may not be familiar with its scope. |
| Analyst | Create and edit shared assets (explorations, annotations). View all reports. | Cannot edit property settings, manage users, create audiences, or modify conversions. | Free (GA4 Standard) | No per-seat cost | Shared explorations created by an Analyst remain in the property if the user is removed; ownership does not transfer automatically. |
| Viewer | View reports and existing configurations. Can create personal (non-shared) explorations. | Cannot edit any settings, create shared assets, or manage users. | Free (GA4 Standard) | No per-seat cost | Viewer is the minimum role that grants any access; there is no read-only role scoped to a subset of reports without using data restrictions. |
| None | Explicitly blocks inherited access from a higher level (e.g., account). User has no access to the specific property. | Cannot view or interact with the property in any way. | Free (GA4 Standard) | No per-seat cost | The 'None' role is used to override inherited permissions from account level; it does not remove the user from the account entirely. |
Permission model
- Model type: role-based
- Description: GA4 uses a hierarchical role-based model across three levels: Organization (Google Marketing Platform), Account, and Property. Roles assigned at a higher level are inherited downward unless explicitly overridden with a lower-level role assignment (including 'None'). There are five named roles: Administrator, Editor, Marketer, Analyst, Viewer. Data restrictions (cost data, revenue data) can be layered on top of any role to limit metric visibility.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role assigned at account or property level; data restrictions (cost metrics, revenue metrics) available as add-on restrictions per user. No row-level or dimension-level filtering beyond data restrictions.
How to add users
- Sign in to Google Analytics at analytics.google.com.
- Click 'Admin' (gear icon) in the bottom-left navigation.
- To add at account level: in the 'Account' column, click 'Account Access Management'. To add at property level: in the 'Property' column, click 'Property Access Management'.
- Click the blue '+' (plus) button in the top-right of the access management panel.
- Select 'Add users'.
- Enter the user's Google Account email address in the email field.
- Select the desired role: Administrator, Editor, Marketer, Analyst, or Viewer.
- Optionally, enable data restrictions (No Cost Metrics, No Revenue Metrics) if applicable.
- Optionally, check 'Notify new users by email' to send an invitation email.
- Click 'Add' to confirm.
Required fields: Valid Google Account email address, Role selection (at least one role must be assigned)
Watch out for:
- The invitee must have an existing Google Account (Gmail or Google Workspace). Non-Google email addresses cannot be added directly.
- Account-level role assignments automatically propagate to all properties under that account unless overridden at the property level.
- There is a limit of 400 users per account and 400 users per property. Attempting to add beyond this limit will fail.
- The person adding users must hold the Administrator role at the level where they are adding the user.
- There is no email domain whitelisting; each user must be added individually by email address.
- Users added at the property level do not automatically get account-level access.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Google Cloud Identity / Google Workspace (organization-level); GA4 360 supports user group management via Google Marketing Platform. SCIM provisioning operates at the Google Cloud Organization level, not natively within GA4 itself. |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: GA4 supports full removal of a user from an account or property. There is no 'deactivate' or 'suspend' state within GA4 itself-removal is permanent at the GA4 level. The underlying Google Account is not affected. To block access without full removal, an Administrator can set the user's role to 'None' at a specific property level to override inherited permissions.
- Sign in to Google Analytics at analytics.google.com.
- Click 'Admin' (gear icon) in the bottom-left navigation.
- Navigate to 'Account Access Management' (account level) or 'Property Access Management' (property level).
- Locate the user in the list (use the search bar if needed).
- Click on the user's row to open their access details.
- Click 'Remove access' (or the trash/delete icon) to revoke all access at that level.
- Confirm the removal when prompted.
| Data impact | Behavior |
|---|---|
| Owned records | Explorations (custom reports) created by the removed user and saved as personal (not shared) are deleted or become inaccessible. Shared explorations remain in the property and are accessible to other users with sufficient permissions. |
| Shared content | Shared assets (shared explorations, annotations) created by the removed user persist in the property and remain accessible to other users. |
| Integrations | Removing a user does not affect data collection, tracking, or integrations (e.g., Google Ads links, BigQuery exports) configured under the property. Those integrations are property-level, not user-level. |
| License freed | GA4 Standard is free with no per-seat licensing, so removal does not free a paid seat. For GA4 360, billing is event-volume-based, not per-seat, so user removal has no direct billing impact. |
Watch out for:
- Removing a user at the account level removes their access to all properties under that account. Removing at the property level only removes access to that specific property.
- If a user was granted access at the account level, removing them only at the property level will not fully revoke access-they will still have account-level access. You must remove them at the account level or set property role to 'None'.
- The removed user's Google Account is not deleted or suspended; they retain access to other Google services.
- There is no audit log of who removed a user natively within GA4 Standard; GA4 360 via Google Marketing Platform may offer additional audit capabilities.
- Personal explorations belonging to the removed user may be lost permanently with no recovery option.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| GA4 Standard | Full GA4 feature set for most SMB use cases. Up to 400 users per account/property. No seat-based cost. | $0 |
| GA4 360 | Higher event quotas (starting 25M events/month), SLA, advanced integrations (BigQuery, Salesforce), sub-properties, roll-up properties, user groups, dedicated support. User limits same structure but enterprise-scale. | Starting ~$50,000/year; usage-based on event volume, sold via Google resellers/sales partners. |
- Where to check usage: Admin → Account Access Management or Property Access Management → view user list with roles. No built-in 'last login' or 'last active' timestamp is displayed in the GA4 UI for individual users.
- How to identify unused seats: GA4 does not natively display last-login dates or activity timestamps for users in the Access Management UI. Identifying unused accounts requires cross-referencing with Google Workspace admin logs or Google Cloud audit logs if the organization uses those tools. There is no built-in inactive-user report in GA4.
- Billing notes: GA4 Standard is entirely free with no per-seat or per-user billing. GA4 360 billing is based on monthly event volume, not number of users. Adding or removing users has no direct impact on GA4 360 billing. Rollup and sub-properties in GA4 360 are billed at 150% of their contributing event count toward the quota.
The cost of manual management
GA4 has no built-in last-login or last-active timestamp for users in the Access Management UI. Identifying stale accounts requires cross-referencing Google Workspace admin logs or Google Cloud audit logs - neither of which is surfaced inside GA4 itself.
Without external tooling, every app in your stack that relies on GA4 access faces the same blind spot: you cannot confirm who is actively using their access from the GA4 console alone.
Bulk provisioning is not supported natively. Each user must be added individually by Google Account email address, with no CSV import and no domain whitelisting. For large teams or frequent onboarding cycles, this creates compounding manual overhead.
Account-level Administrator assignments automatically propagate to all properties under that account. Over-provisioning is a consistent operational risk because correcting it requires manually setting the 'None' role at each affected property - there is no bulk override.
What IT admins are saying
Practitioners consistently flag the absence of last-login visibility as the most high-impact gap in GA4's access management. Without activity timestamps, access reviews require external log correlation rather than a native audit report.
The 400-user hard limit per account and per property is a documented ceiling that blocks access additions for large organizations until existing users are removed. There is no grace period or overflow mechanism.
The lack of custom roles is a recurring friction point. Teams are constrained to five preset roles plus two data restrictions (No Cost Metrics, No Revenue Metrics), with no row-level or dimension-level filtering beyond those options.
Common complaints:
- No native 'last login' or 'last active' date shown for users in the Access Management UI, making it difficult to audit inactive users without external tooling.
- No CSV import for bulk user provisioning; each user must be added individually by email address, which is time-consuming for large teams.
- No domain whitelisting or automatic provisioning of users based on email domain.
- The 400-user limit per account/property is a hard ceiling that can block access for large organizations.
- Account-level role inheritance is a common source of unintended over-provisioning; administrators must manually override at the property level using the 'None' role.
- No custom roles or fine-grained permission scoping beyond the five preset roles and two data restrictions.
- Removing a user at the property level does not revoke account-level access, which confuses administrators expecting a single removal to fully cut off access.
- SCIM provisioning is not available natively within GA4; it operates only at the Google Cloud Organization level, requiring separate configuration outside of GA4.
The decision
Use account-level role assignments only when a user genuinely needs access to every property under that account. The inheritance model means that every app and property downstream of an account-level Administrator grant is exposed - making it the highest-risk assignment and a common source of unintended over-provisioning.
For property-scoped access, assign roles at the property level directly. Use the 'None' role at the property level to explicitly block inherited account-level access for specific users without removing them from the account entirely.
Data restrictions (No Cost Metrics, No Revenue Metrics) can be layered on top of any role and are the only mechanism for limiting metric visibility below the role level. There is no finer-grained scoping available in GA4 Standard or GA4 360.
Bottom line
Google Analytics 4's access model is straightforward for small teams but operationally demanding at scale. The absence of last-login data, bulk provisioning tools, and custom roles means that access hygiene depends entirely on manual processes or external log infrastructure.
The hierarchical inheritance model is powerful but requires deliberate role assignment at every level - account-level grants carry significant blast radius, and the only native correction mechanism is the 'None' role applied property by property.
Automate Google Analytics workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
