#GTMTips: User Permissions

How user permissions work in the different parts of Google Tag Manager.

In this #GTMTips article, we’ll take a look at user permissions and access control levels that Google Tag Manager lets you set today. Doing access control right from a user interface AND user experience perspective is really difficult, and GTM is no exception. Nevertheless, there are several levels of user control that you can modify from account and container settings, and it’s useful to familiarize with these so that managing a big, sprawling account hierarchy would be just a bit easier.

Tip 57: User Permissions And Access Control Levels

Since the concept of an account in Google Tag Manager is not as important as, say, in Google Analytics, the access levels for accounts come in two sorts:

  • Admin access lets the user modify other users’ permission levels, and Admin level has always at least Read access to each container.

  • User access prevents the user from modifying other users’ permission levels, and they can also have the No Access level for containers.

Note that there is no owner in Google Tag Manager. Admin access can be freely distributed, and it can be revoked, even from the user who created the account.

On Container level, the available permission levels are:

  • No Access means the user will not even see this container in the list of containers in the UI or via API queries.

  • Read gives the user view-only access to the container. This includes browsing workspace drafts, opening tags, triggers, and variables, but not being able to edit them in any way. One feature of Read access that is often ignored is that users can Preview container versions by going to the Versions page and choosing Preview from the version action menu (see screenshot below). Note that users can’t preview workspace drafts.

  • Edit access lets users create workspaces and edit assets within those workspaces, but they cannot Create Versions or Publish those workspaces. Note that Edit access CAN Preview workspace drafts.

  • Approve is almost the same as Edit except the user has now permission to Create Versions out of workspace drafts. They still can’t Publish anything, though.

  • Publish is the highest access level for containers. It gives you full access to the container, including ability to create and modify Environments, and even to delete containers.

With these access control levels, you can distribute access within a single container pretty granularly. However, there’s a bunch of things many users would still love to see with permission distribution, most notably involving folders. Also, a nice, juicy approval queue would be great to have, so that users with limited permissions could still submit a workspace draft for approval programmatically, rather than having to sort out the publish workflow in person (I know, social interaction, YUCH!).

BONUS: I’ve lost account access / I don’t know who has access to GTM-XXXXX - what do I do?

This must be one of the most frequently asked questions in the Product Forums. Typically it’s a case of a GTM container being deployed on the site, but no one has access to it, nor does anyone know WHO is the current admin. (Folks, this is what lack of governance does. Learn from it!).

Anyway, I’m going to quote Googler Andrew Lanzone, who had the perfect answer for what to do in case you need to retrieve access information for any given container or account.

The easiest option is to track down the person with admin rights on the account. If you can, contact a user who has admin rights on the GTM account and ask them to add you to the account (as admin as well). If you have access to the email accounts of the departed employees, you can try logging in with those accounts and adding yourself as an admin.

If that is not possible, file a feedback request (choose “Send feedback” from the … menu in the GTM header) and we can try and contact the account admins on your behalf.

In general, we recommend:

  • You should have multiple admins on your account.

  • At least one email address on the account should be monitored on a daily basis if possible.

  • You should have a handoff plan for when people leave the company and/or end business relationships.

Here’s the source for Andrew’s tips.