Add a User to Google Analytics

Follow this playbook to invite the collaborator into your GA4 account.

Prerequisites

Before granting Google Analytics 4 access, gather the necessary information and confirm your permissions to complete the process successfully.

Required Information

• Access Level Decision: Determine whether the collaborator needs account-level access (affects all properties) or property-level access (limited to specific properties and data streams).
• GA4 Account Structure: Document your account hierarchy including account ID, property IDs, and data stream IDs that the collaborator should access.
• Google Account Email: Collect the collaborator's Google account email address. This can be a Gmail address, Google Workspace email, or service account for API access.
• Service Account Credentials: If the collaborator needs API access for data export, measurement protocol, or automation, obtain the service account email (typically ends in @[project-id].iam.gserviceaccount.com).
• Engagement Scope: Review the statement of work to understand whether the collaborator needs read-only reporting access, conversion management capabilities, or full property configuration rights.
• Linked Product Access: Confirm whether the collaborator also needs access to linked products like Google Ads, Search Console, BigQuery exports, or Display & Video 360.

Permission Requirements

• Manage Users Permission: You must have "Manage Users" permission at the account or property level where you're granting access. If you lack this permission, escalate to your GA4 account administrator.
• Account vs. Property Level: Understand the difference:
  • Account-level access: Grants permissions across all properties under the account and allows managing account-wide settings.
  • Property-level access: Limits permissions to a specific property and its data streams; requires separate grants for each property.

Account Structure Planning

GA4 organizes access hierarchically. Understanding this structure helps you grant appropriate permissions:

• Account Level: The top-level container. Granting access here affects all current and future properties.
• Property Level: Individual GA4 properties (websites or apps). Access granted here only affects that specific property.
• Data Stream Level: While access isn't granted at the data stream level, role permissions control what users can do with individual streams.

Security and Compliance Checklist

• Access Request Approval: Obtain written approval from your project sponsor, data governance team, or security stakeholder as required by your organization's policies.
• Data Privacy Considerations: Review what types of data the collaborator will access (personally identifiable information, financial data, healthcare data, etc.) and confirm this aligns with privacy policies and data processing agreements.
• Data Restrictions: Determine if cost metrics (Google Ads spend) or revenue metrics (ecommerce transaction data) should be hidden from the collaborator.
• Audit Trail: Prepare to document the access grant in your IAM tracker, ITSM system, or compliance log with requester name, approval date, and business justification.
• IP Restrictions: If your organization restricts GA4 access by IP address (via Google Cloud Identity or VPN), coordinate with your network team before granting access.

Related Tools and Integrations

If the collaborator's work extends beyond GA4 reporting, consider access requirements for connected tools:

• Google Ads: Linking requires administrative access in both GA4 and Google Ads. Plan for coordinated access grants.
• Search Console: Property verification and linking requires Search Console ownership or admin rights.
• BigQuery: Exporting GA4 data to BigQuery requires separate IAM permissions on the Google Cloud project and dataset.
• Display & Video 360, Search Ads 360, Campaign Manager 360: Google Marketing Platform integrations require appropriate GMP role assignments.
• Looker Studio (Data Studio): Collaborators may need separate sharing permissions on Looker Studio reports even if they have GA4 access.

Understanding GA4 Roles and Permissions

Google Analytics 4 provides four standard roles with different capabilities.

Standard Roles

Administrator

Full control over property or account configuration and user management.

Capabilities:

• Manage users and grant access to others
• Edit property settings, data streams, and account configuration
• Create, edit, and delete conversions, audiences, and custom definitions
• Link and unlink integrated products (Google Ads, BigQuery, etc.)
• Configure data retention and deletion settings
• Access all reports and explorations
• Set up and modify data filters and internal traffic rules

When to grant Administrator:

• Collaborator is leading a full GA4 implementation or migration
• Collaborator manages integrations with Google Ads, BigQuery, or other platforms
• Collaborator needs to configure property-level settings and data governance rules
• Engagement includes user management or security configuration

Risks and considerations:

• Can delete data, disable data streams, or misconfigure tracking
• Can grant additional users access without approval
• Changes to data retention affect historical data availability
• Most powerful role; grant only when truly necessary

Editor

Can modify configuration but cannot manage users or account settings.

Capabilities:

• Create, edit, and delete conversions, audiences, and custom definitions
• Modify existing data streams (but cannot create or delete them)
• Configure event parameters and custom dimensions/metrics
• Access all reports and explorations
• Create and share custom reports, explorations, and audiences
• Cannot manage users or modify data retention settings
• Cannot link/unlink external products

When to grant Editor:

• Collaborator implements tracking and conversion management
• Collaborator configures audiences for Google Ads or other activation platforms
• Collaborator needs to create custom dimensions/metrics for specific analysis
• Read-only access is insufficient but full Administrator rights are excessive

Typical use case: Most implementation consultants and analytics practitioners should receive Editor rather than Administrator to follow least-privilege principles.

Analyst

Can create and share custom reports and explorations but cannot modify property configuration.

Capabilities:

• Access all standard reports and explorations
• Create custom reports, explorations, segments, and comparisons
• Share created content with other users
• Export data to Google Sheets or CSV
• Cannot modify conversions, audiences, or property settings
• Cannot edit data streams or custom definitions

When to grant Analyst:

• Collaborator performs reporting and data analysis
• Collaborator creates custom explorations or segments for stakeholder use
• Engagement focuses on insights generation without configuration changes
• Need to share analysis work across the team

Typical use case: Analytics consultants focused on reporting, dashboard creation, and insight generation.

Viewer

Read-only access to reports; cannot create or share custom content.

Capabilities:

• View all standard reports and existing shared explorations
• Export visible data to Google Sheets or CSV
• Cannot create new reports, explorations, or custom content
• Cannot modify any property settings or configurations
• Cannot share content with others

When to grant Viewer:

• Collaborator needs visibility for auditing or review purposes
• Stakeholder requires read-only access for oversight
• Temporary access for specific reporting needs
• Compliance or legal review requiring data visibility without modification rights

Typical use case: Auditors, compliance reviewers, or stakeholders who need visibility but not editing capabilities.

Data Restrictions

In addition to roles, GA4 allows applying data restrictions to limit what specific users can see:

• No Cost Metrics: Hides Google Ads cost data (CPC, ad spend, ROAS, etc.) from the user even if they have access to reports containing these metrics.
• No Revenue Metrics: Hides ecommerce revenue data (purchase revenue, average order value, etc.) from the user.

When to apply data restrictions:

• Collaborator doesn't need financial data for their work
• Data processing agreements or contracts prohibit sharing cost/revenue data
• Compliance requirements (SOX, financial data governance) restrict who can see financial metrics
• Different teams need access to engagement metrics but not monetary performance

Data restrictions can be combined (e.g., Editor role with both No Cost and No Revenue restrictions).

Invite via GA4 Admin

Follow these step-by-step instructions to grant access to the collaborator.

Step 1: Navigate to Access Management

1. Sign into Google Analytics 4 using an account with Administrator or Manage Users permissions.
2. Click Admin in the bottom-left corner of the GA4 interface.
3. In the Admin panel, decide where to grant access:
   • Account-level access: In the Account column (left), select Account Access Management.
   • Property-level access: In the Property column (middle), select Property Access Management.
4. You'll see the current list of users with access at the selected level.

Step 2: Initiate User Addition

1. Click the + (plus) icon in the top-right corner of the Access Management page.
2. From the dropdown menu, select Add users.
3. A dialog box will appear prompting you to enter email addresses and configure permissions.

Step 3: Enter Email Addresses

1. In the Email addresses field, enter the collaborator's Google account email.
2. For service accounts (API access), enter the full service account email (e.g., service-account@project-123456.iam.gserviceaccount.com).
3. To add multiple users simultaneously, separate email addresses with commas or enter each on a new line.
4. Verify email addresses for typos before proceeding to avoid granting access to incorrect accounts.

Step 4: Configure Notification Settings

1. Notify new users by email: This checkbox is enabled by default and sends an automated email notification to the added user(s).
2. Leave this enabled for human users so they receive confirmation and onboarding instructions.
3. For service accounts (API access), you can disable notifications since service accounts cannot receive email.

Step 5: Assign Roles and Permissions

1. Under Roles and data restrictions, select the appropriate role(s):

   • Check Administrator for full property/account management (rarely needed for collaborators)
   • Check Editor for implementation and configuration work (most common for collaborators)
   • Check Analyst for reporting and exploration creation
   • Check Viewer for read-only access

2. You can assign multiple roles to the same user (e.g., both Editor and Analyst), though this is usually unnecessary since higher-level roles include lower-level capabilities.

3. Apply data restrictions if needed:

   • Check No cost metrics to hide Google Ads spend and cost data
   • Check No revenue metrics to hide ecommerce and revenue data
   • Leave both unchecked if the user needs full data visibility

Step 6: Review Property or Account Scope

1. For account-level access: The user will automatically have the selected role across all properties under this account, including properties created in the future.
2. For property-level access: The user will only have access to the specific property where you're adding them. They won't see other properties under the same account.
3. If the collaborator needs access to multiple specific properties but not all, you'll need to repeat this process for each property individually.

Step 7: Add User and Confirm

1. Review all selections:
   • Email addresses are correct
   • Appropriate roles are selected
   • Data restrictions (if any) are properly configured
   • Notification setting matches intent
2. Click Add to finalize the access grant.
3. The user will appear immediately in the Access Management list with their assigned role(s).
4. If notifications are enabled, the user will receive an email with a link to access GA4.

Granting Access to Multiple Properties

If the collaborator needs access to several properties but not all properties in the account, follow this workflow to manage multiple grants efficiently.

Option 1: Individual Property Grants

1. For each property requiring access:
   • Navigate to Admin → Property Access Management for that property
   • Click + → Add users
   • Enter the collaborator's email and assign the appropriate role
   • Apply data restrictions if needed
   • Click Add
2. Repeat for each additional property.
3. Document which properties were granted in your access tracker.

Option 2: Account-Level Grant with Property Removal

1. If the collaborator needs access to most but not all properties:
   • Grant account-level access with the appropriate role
   • For properties they should NOT access, navigate to that property's Access Management and remove the inherited access
2. This approach works best when the exception list is shorter than the access list.

Best Practice for Multiple Properties

• Document the specific property IDs granted in your IAM tracker to facilitate future audits.
• Consider organizing properties into separate accounts if access patterns consistently differ across teams or vendors.
• Use consistent role assignments across properties (same role for all) to simplify access reviews.

Service Account Access for API and Automation

Service accounts enable programmatic access to GA4 for data export, reporting automation, or measurement protocol ingestion.

Creating a Service Account

If the collaborator needs API access and doesn't have a service account yet:

1. Navigate to Google Cloud Console
2. Select the Google Cloud project associated with your GA4 property
3. Go to IAM & Admin → Service Accounts
4. Click Create Service Account
5. Enter a name and description (e.g., "Analytics Collaborator API Access")
6. Click Create and Continue
7. Grant the service account appropriate Cloud project roles if needed (usually not required for GA4 API access alone)
8. Click Done
9. Note the service account email address (e.g., analytics-service@project-123456.iam.gserviceaccount.com)

Granting GA4 Access to Service Accounts

1. Follow the standard user addition process described above
2. Enter the full service account email address
3. Assign Viewer role (for read-only API access) or Editor role (for configuration changes via API)
4. Disable the "Notify new users by email" option since service accounts cannot receive email
5. Click Add

BigQuery Export Access

If the collaborator needs to query GA4 data exported to BigQuery:

1. Grant GA4 access as described above (typically Viewer role is sufficient)
2. Additionally, grant Google Cloud IAM permissions on the BigQuery dataset:
   • Navigate to Google Cloud Console
   • Go to BigQuery → [your dataset]
   • Click Sharing → Permissions
   • Add the service account or user email
   • Grant BigQuery Data Viewer role (read-only) or BigQuery Data Editor (read/write)
   • Save permissions
3. Test access by having the collaborator run a sample query against the GA4 dataset

API Key Management

• Store service account JSON key files securely (never commit to version control)
• Rotate keys regularly (every 90 days recommended)
• Use Google Cloud KMS or secret management services for production deployments
• Document which service accounts have access and what they're used for

Linking to Related Google Products

If the collaborator's engagement includes managing integrations between GA4 and other Google tools, additional access grants may be required.

Google Ads Linking

To link GA4 with Google Ads accounts:

Requirements:

• User must have Administrator role in GA4
• User must have Administrative access in Google Ads account
• Collaborative access requires granting both simultaneously

Process:

1. Grant GA4 Administrator role as described above
2. Separately, grant Google Ads Admin access in the Google Ads interface
3. The collaborator can then create or manage the GA4-Google Ads link
4. Consider whether the collaborator needs ongoing Admin access or if you can downgrade them after linking is complete

Search Console Linking

To link GA4 with Google Search Console properties:

Requirements:

• User must have Editor or Administrator role in GA4
• User must have Owner role on the Search Console property

Process:

1. Grant GA4 Editor or Administrator role
2. In Search Console, add the user as an Owner for the relevant property
3. The collaborator can then create the GA4-Search Console association
4. After linking, you can downgrade Search Console access to User level if ongoing management isn't needed

BigQuery Export Configuration

To set up or manage GA4's BigQuery export:

Requirements:

• Administrator role in GA4 (to configure the export)
• BigQuery Admin or Editor role on the Google Cloud project
• BigQuery Data Editor role on the destination dataset

Process:

1. Grant GA4 Administrator role
2. In Google Cloud IAM, grant BigQuery Admin or appropriate dataset-specific roles
3. The collaborator can configure export settings in GA4 Admin → BigQuery Linking
4. Verify export is working by checking the BigQuery dataset for new tables

Google Marketing Platform (GMP) Integrations

For Display & Video 360, Search Ads 360, or Campaign Manager 360 integrations:

Requirements:

• Administrator role in GA4
• Appropriate role in the respective GMP product
• GMP organization-level admin approval may be required

Coordination:

• Work with your GMP administrator to coordinate access grants across products
• Document the integration purpose and data flow in your data governance documentation
• Review GMP-specific data sharing and privacy settings

Post-Invite Checklist

After granting access, complete these steps to ensure successful onboarding and compliance.

Verify Access in GA4

1. Confirm User Appears in List:

   • Navigate back to Admin → Access Management (account or property level)
   • Verify the collaborator's email appears with the correct role(s) and data restrictions
   • Note the timestamp when access was granted

2. Test Access (if possible):

   • If you can coordinate with the collaborator, have them log into GA4 and confirm they see the expected account(s) and property(ies)
   • Verify they can access reports and, if applicable, perform configuration tasks matching their role

3. Check for Access Anomalies:

   • Ensure the user doesn't appear multiple times with different emails (which can happen with multiple Google identities)
   • Verify inherited account-level access doesn't conflict with property-level grants

Share Essential Information

Provide the collaborator with the information they need to be productive:

1. Account and Property Details:

   • GA4 account ID (found in Admin → Account Settings)
   • Property ID(s) (found in Admin → Property Settings, format: 123456789)
   • Data stream ID(s) for web, iOS, and Android streams (found in Admin → Data Streams)
   • Measurement ID(s) (format: G-XXXXXXXXXX) for implementation validation

2. Implementation Context:

   • Links to existing Google Tag Manager containers (if used)
   • Documentation about custom events, parameters, and conversion definitions
   • Links to existing Looker Studio dashboards or custom reports
   • Contact information for your internal GA4 subject matter experts

3. Data Governance Information:

   • Privacy policies affecting how analytics data can be used
   • Data retention settings (2 months, 14 months, etc.)
   • IP anonymization or other privacy controls in place
   • Compliance frameworks applicable to the data (GDPR, CCPA, HIPAA, etc.)

4. Technical Access Requirements:

   • VPN connection requirements (if applicable)
   • IP allowlist status (if applicable)
   • MFA enrollment instructions (if required)
   • SSO login process (if configured)

Update Access Management Records

Document the access grant for audit and compliance purposes:

1. IAM Tracker or Spreadsheet:

   • Record the user email, grant date, access level (account or property), role(s), and data restrictions
   • Note the approver name and approval date
   • Reference the SOW, ticket number, or request ID
   • Set a review date based on engagement duration

2. Ticketing System:

   • Update the access request ticket status to "Granted"
   • Attach screenshots of the Access Management page showing the new user
   • Link to related tickets (VPN access, BigQuery permissions, etc.)

3. Compliance Logs:

   • If required by your industry or organization, log the access grant in your GRC system
   • Include business justification and data classification
   • Note any data restrictions applied

4. Communication:

   • Notify project stakeholders that access has been granted
   • Update team wikis or runbooks with current access lists
   • Send onboarding email to the collaborator with all necessary information

Bulk User Management

For organizations granting GA4 access to multiple collaborators simultaneously, consider these approaches.

Manual Bulk Addition

1. In the Add users dialog, enter multiple email addresses separated by commas or line breaks
2. All users will receive the same role assignments and data restrictions
3. Click Add to grant access to all users at once
4. Review the Access Management list to confirm all users were added successfully

Best for: Small groups (5-10 users) with identical access requirements

Google Cloud Identity Integration

Organizations using Google Cloud Identity or Google Workspace can leverage group-based access management:

1. Create Google Groups for different access patterns (e.g., ga4-analysts@yourdomain.com, ga4-admins@yourdomain.com)
2. Add users to the appropriate groups in Google Admin
3. Grant GA4 access to the group email address instead of individual users
4. User access is automatically managed through group membership

Benefits:

• Centralized access management through Google Admin
• Automatic provisioning/deprovisioning based on group membership
• Easier access reviews (review group membership instead of individual grants)
• Consistent role assignments across similar users

Limitations:

• Requires Google Cloud Identity or Google Workspace
• All group members receive identical permissions
• Group management must be coordinated with IT administrators

Google Analytics 360 (Enterprise)

Organizations with Google Analytics 360 may have additional bulk management options:

• Subproperties and roll-up properties can simplify access management for complex organizations
• Google Marketing Platform organization-level management integrates with GMP access controls
• Support for programmatic user management via Admin API

Contact your Google Analytics 360 account manager for enterprise-specific access management guidance.

Troubleshooting

Common issues when granting Google Analytics 4 access and their resolutions.

Invite Failed or User Limit Reached

Symptoms: Error message when attempting to add user, or notification that property/account has reached user limit.

Resolution Steps:

1. Check User Count:

   • Review current user count in Access Management
   • GA4 free tier allows up to 100 users per property (25 at account level)
   • GA4 360 has higher limits based on contract

2. Remove Inactive Users:

   • Audit existing users and remove those no longer needing access
   • Check for duplicate users with multiple email addresses
   • See Remove User Access documentation

3. Upgrade to GA4 360:

   • If your organization regularly hits user limits, consider Google Analytics 360
   • Contact Google or your analytics provider about 360 licensing

4. Use Group-Based Access:

   • Instead of adding individual users, use Google Groups to efficiently manage access within limits
   • Remove individual user grants and add group email addresses instead

Cannot See "Add Users" Option

Symptoms: The "+" icon or "Add users" option is not visible in Access Management.

Resolution Steps:

1. Verify Your Permissions:

   • Confirm you have Administrator role or explicit "Manage Users" permission
   • Check with another administrator if you're unsure
   • Review your access in Admin → Access Management to see your current role

2. Check Correct Access Management Level:

   • Ensure you're viewing Access Management at the level where you have permissions
   • You might have property-level admin access but not account-level

3. Organization Policies:

   • Some organizations restrict user management to specific administrators via Google Cloud Organization Policies
   • Check with your Google Workspace or Cloud Identity administrator

4. Browser Issues:

   • Clear browser cache and cookies
   • Try incognito/private browsing mode
   • Test in a different browser
   • Disable browser extensions that might interfere

Collaborator Can't See Property After Being Added

Symptoms: User was successfully added but reports they don't see the property when logging into GA4.

Resolution Steps:

1. Verify Access Level:

   • Confirm whether you granted account-level or property-level access
   • If granted property-level, ensure it was for the correct property
   • Check that the user wasn't removed or downgraded by another administrator

2. Check Email Address:

   • Verify the user is logging in with the exact Google account email you added
   • Users with multiple Google accounts must use the specific account that was granted access
   • Service accounts cannot "log in" - they only work via API

3. Property Visibility:

   • Newly added users should see granted properties within 1-2 minutes
   • Have the user refresh their browser or log out and back in
   • Check if the property is archived (archived properties don't appear in standard navigation)

4. Data Restrictions:

   • Ensure data restrictions (No cost metrics, No revenue metrics) aren't preventing access to key reports
   • Verify whether any additional Google Cloud Organization policies might filter what the user can see

5. Account Switching:

   • If the user has multiple Google accounts, they may need to switch accounts in the GA4 interface
   • Click the account icon in the top-right and select "Switch Account"

Service Account Access Issues

Symptoms: Service account cannot authenticate or access GA4 data via API.

Resolution Steps:

1. Verify Service Account Email:

   • Confirm you added the correct service account email (format: name@project-id.iam.gserviceaccount.com)
   • Check for typos in the service account address

2. API Enablement:

   • Ensure Google Analytics Data API is enabled in the Google Cloud project
   • Navigate to APIs & Services → Library and search for "Google Analytics Data API"
   • Click "Enable" if not already enabled

3. Property ID:

   • Verify the service account is querying the correct property ID
   • Property ID format is numeric (e.g., 123456789), not the measurement ID (G-XXXXXXXXXX)

4. Role Assignment:

   • Service accounts need at least Viewer role for read access
   • Editor role required for configuration changes via API
   • Verify role was properly assigned in Access Management

5. BigQuery Permissions:

   • If accessing BigQuery exports, verify IAM permissions on the BigQuery dataset
   • Service account needs BigQuery Data Viewer (minimum) or BigQuery Data Editor

6. Key File:

   • Ensure JSON key file is properly formatted and accessible to the application
   • Regenerate key file if corrupted or lost
   • Verify key hasn't been deleted or revoked in Google Cloud Console

Data Restrictions Not Working as Expected

Symptoms: User with data restrictions can still see cost or revenue metrics.

Resolution Steps:

1. Verify Restrictions Applied:

   • Check the user's entry in Access Management to confirm restrictions are set
   • Data restrictions should show as tags next to the user's role

2. Report-Specific Behavior:

   • Some reports may show metric names/columns but with no data populated
   • Data restrictions filter values, not UI elements

3. Calculated Metrics:

   • Calculated metrics derived from restricted metrics may still show values
   • Review custom metrics and calculated fields

4. Linked Product Access:

   • Data restrictions in GA4 don't extend to linked products
   • If user has access to BigQuery exports, they can query unrestricted data there
   • Coordinate data restrictions across all systems where user has access

5. Property vs. Account Level:

   • Verify restrictions were applied at the appropriate level
   • Account-level restrictions inherit to properties but property-level restrictions don't bubble up

Google Ads or Search Console Linking Problems

Symptoms: Collaborator cannot create or manage product links despite having appropriate roles.

Resolution Steps:

1. Verify Dual Access:

   • User must have Administrator role in GA4 and appropriate role in the linked product
   • For Google Ads: Admin access required in Google Ads account
   • For Search Console: Owner role required for the property

2. Linking Permissions:

   • Only GA4 Administrators can create new product links
   • Editors can view existing links but not create/delete them

3. Product Account Access:

   • Confirm the user has access to the specific Google Ads account or Search Console property being linked
   • Access must be on the same Google account email

4. Organization Policies:

   • Some Google Marketing Platform organizations restrict linking to prevent data sharing violations
   • Check with your GMP administrator if linking is blocked

5. Property Verification:

   • For Search Console, verify the property verification is current and not expired
   • Re-verify the property if needed

Security and Compliance Best Practices

Follow these guidelines to maintain secure and compliant GA4 access management.

Principle of Least Privilege

• Start with the most restrictive role (Viewer) and escalate only when justified
• Default to property-level access rather than account-level unless truly needed
• Apply data restrictions when cost or revenue visibility isn't required
• Regularly review and downgrade excessive permissions

Regular Access Reviews

• Conduct quarterly reviews of all GA4 users at both account and property levels
• Remove users who have completed their engagements or left their organizations
• Verify role assignments still match current responsibilities
• Audit group memberships if using Google Groups for access management

Segregation of Duties

• Separate production and non-production property access when possible
• Require different approval levels for Editor vs. Administrator access
• Consider separate GA4 accounts for staging and production environments
• Limit Administrator role to a small group of trusted administrators

Audit Trail Maintenance

• Document every access grant with justification, approver, and timestamp
• Export Access Management lists regularly for compliance archives
• Leverage GA4 Admin → Account Change History to review modifications
• Integrate access grants with your organization's IAM or GRC systems

Service Account Security

• Rotate service account keys every 90 days
• Store key files securely using secrets management systems
• Delete unused service accounts promptly
• Monitor API usage for anomalies that might indicate compromised credentials
• Use separate service accounts for different applications or purposes

Data Classification and Privacy

• Apply data restrictions based on data classification policies
• Ensure access grants comply with data processing agreements
• Document what data each user can access for GDPR/CCPA compliance
• Review whether user needs warrant PII access and apply appropriate controls

Related Documentation

• Update Access & Roles - Modify user roles when engagement scope changes
• Remove User Access - Deprovision users and maintain audit trails
• User Management Overview - Complete guide to GA4 roles, permissions, and governance best practices