Remove the collaborator from Google Analytics | Blue Frog Docs

Remove the collaborator from Google Analytics

Revoke GA4 roles for the collaborator and document the action.

Remove User Access

Follow this procedure when a collaborator should no longer access GA4 data. Properly offboarding users protects your organization from unauthorized access, maintains compliance with data governance policies, and ensures accurate audit trails.

Removing a user from Google Analytics 4 is permanent. Once deleted, you cannot restore their specific access configuration, custom audiences, or conversions they created. Always transfer ownership of critical assets and document the removal before proceeding.

When to Remove Users

Remove Google Analytics access when:

  • An employee leaves the organization (resignation, termination, or retirement).
  • An agency or consultant contract ends and they no longer manage analytics or marketing.
  • A user changes roles and no longer requires GA4 access.
  • Security or compliance teams request removal due to policy violations or audit findings.
  • A temporary contractor's project concludes and their access is no longer needed.
  • The user has been inactive for 90+ days and your organization enforces periodic access reviews.
  • Data privacy or legal requests removal to ensure GDPR, CCPA, or other regulatory compliance.
  • Their property scope reduces to zero and they no longer need access to any properties.
  • Google Workspace provisioning removes the user from the organization.

Deactivation Triggers

Common triggers that should prompt immediate user removal:

  • Employee termination: Revoke access on the same day to prevent unauthorized data viewing or export.
  • Contract termination: Remove agency or consultant users within 24 hours of contract end.
  • Role change: If a marketer transitions to a non-digital role, remove their GA4 access entirely.
  • Security incident: If credentials are compromised or suspicious activity is detected, immediately remove access.
  • Quarterly access review: Remove users who haven't logged in for 90+ days or are no longer with the organization.
  • Property migration: If all properties a user had access to are migrated to a different account, remove the user.
  • Google Workspace removal: If removed from Google Workspace, manually verify they can no longer access GA4.

Pre-Removal Assessment

Before removing a user, complete this assessment to avoid disrupting analytics and marketing workflows:

Identify owned assets

Check whether the user owns or created:

  • Custom audiences: Audiences they created that are linked to Google Ads or other platforms
  • Conversions: Conversion events they defined or configured
  • Custom dimensions: User-scoped or event-scoped custom dimensions they implemented
  • BigQuery exports: Data warehouse export configurations they set up
  • Data streams: Web or app data streams they configured
  • Looker Studio reports: Reports or dashboards that rely on their GA4 access
  • API credentials: Measurement Protocol API secrets or Reporting API OAuth tokens they manage
  • Google Ads links: Linked accounts or conversion imports they configured

Transfer ownership

For each asset identified:

  1. Go to the asset settings (audience, conversion, custom dimension).
  2. If possible, document the configuration or export it.
  3. For BigQuery exports, verify another Admin can manage the connection.
  4. For Google Ads links, ensure another user has Admin access to both platforms.
  5. For Looker Studio, grant another user Editor access to the data source.
  6. Document the transfer in your ticketing system with the new owner's name.

Critical: Do not skip asset transfer. If you delete a user who owns active audiences or conversions linked to Google Ads, those integrations may break, causing campaign disruptions.

Review property and account access

  1. Navigate to Admin → Access Management at both Account and Property levels.
  2. Review all accounts and properties they have access to.
  3. Document their role at each level (Viewer, Analyst, Marketer, Editor, Administrator).
  4. Identify if they're the only Administrator for any account or property (requires designating a replacement).
  5. Check linked products: Google Ads, BigQuery, Search Console, AdSense.

Confirm approval

Obtain written approval from:

  • The user's manager or department head
  • HR or Finance if due to termination or contract end
  • Security, Compliance, or Legal if part of an audit or data privacy requirement
  • Marketing or Analytics lead if user managed critical integrations

Save the approval email or ticket for your access log.

Removal Steps

Once you've completed the pre-removal assessment:

Step 1: Access user management

  1. Sign in to Google Analytics 4 as an Administrator at the account or property level.
  2. Navigate to Admin (bottom left gear icon).
  3. Under the appropriate Account or Property column, select Access Management.
  4. Locate the user by scrolling or using the search box (search by email).

Step 2: Review current access

  1. Click on the user's email address.
  2. Review their current:
    • Role(s) assigned (Administrator, Editor, Marketer, Analyst, Viewer)
    • Direct roles vs. inherited roles from account level
    • Data restrictions (if any)
    • Last activity date (if visible)
  3. Screenshot this page for your access log before making changes.
  4. Repeat for both Account and Property levels if they have access at both.

Step 3: Remove property access (optional partial removal)

If the user should lose access to specific properties but remain active on others:

  1. In the Property Access Management section, find their email.
  2. Click the three-dot menu next to their name.
  3. Select Remove access.
  4. Confirm the removal.
  5. Document which properties were removed and why.

This is useful when an agency's scope narrows to specific properties only.

Step 4: Remove account access

If the user should lose access to the entire GA4 account:

  1. Go to Admin → Account Access Management.
  2. Find the user's email.
  3. Click the three-dot menu next to their name.
  4. Select Remove access.
  5. Confirm the removal.
  6. The user will immediately lose access to all properties under the account.

Note: Removing at the account level removes access to all properties. Removing at the property level only affects that specific property.

Step 5: Verify removal

  1. Refresh the Access Management page and confirm the user no longer appears.
  2. Check both Account and Property levels to ensure complete removal.
  3. Search for their email to ensure no duplicate entries exist.
  4. Verify linked products (Google Ads, BigQuery) don't have residual access.
  5. Screenshot the updated Access Management list showing the user removed.

Step 6: Remove from linked products

Check and remove access from related Google products:

  • Google Ads: Admin → Access and Security → Users → Remove user
  • BigQuery: Check project-level IAM permissions and remove GA4 export access
  • Search Console: Settings → Users and Permissions → Remove user
  • Looker Studio: Share settings on reports/data sources → Remove user
  • Google Tag Manager: Admin → User Management → Remove user (if applicable)
  • Firebase: Project Settings → Users and Permissions → Remove user (for app properties)

Post-Removal Tasks

After removing the user:

Rotate credentials

If the user had access to sensitive credentials:

  • Measurement Protocol API secrets: Rotate any API secrets they had access to.
  • OAuth tokens: Revoke any Reporting API or Data API OAuth tokens generated by their account.
  • Service account keys: Rotate any JSON keys for service accounts they managed.
  • BigQuery credentials: Update any warehouse export credentials or service accounts.

Navigate to Admin → Data Streams → [Stream] → Measurement Protocol API Secrets to manage secrets.

Update documentation

  • Access log: Record user email, date removed, reason, approver name, assets transferred, credentials rotated.
  • Google Workspace: Remove the user from any GA4-related groups in Google Workspace Admin.
  • Internal roster: Update your team roster, org chart, or RACI matrix.
  • Runbooks: Update any documentation that referenced the removed user as a contact or owner.
  • SOPs: Update standard operating procedures that list user responsibilities.

Notify stakeholders

  • Inform the user (if appropriate) that their GA4 access has been revoked.
  • Alert new asset owners that they now own audiences, conversions, or BigQuery exports.
  • Update the marketing team via Slack or email that the user no longer has access.
  • Notify Google Ads team if the user managed conversion imports or audience sharing.
  • Inform BI team if BigQuery exports or Looker Studio dashboards were affected.

Audit remaining users

  • Scan the Access Management list for other accounts that may need removal or downgrade.
  • Flag users with Administrator access who no longer require it.
  • Identify users who haven't logged in recently (may require Google Workspace admin reports).
  • Review service accounts and remove any orphaned or unused accounts.

Review change history

  1. Navigate to Admin → Account Change History or Property Change History.
  2. Filter by the removed user's email.
  3. Review their recent activity (configuration changes, audience creation, etc.).
  4. Export the change history and archive it with your compliance records.

Schedule next review

  • Add the removal to your quarterly access review log.
  • Set a reminder to review all GA4 users in 90 days.
  • Include GA4 access in onboarding/offboarding checklists.
  • Update access review spreadsheet or CMDB.

Emergency Removal Procedures

For immediate security threats (compromised credentials, malicious activity, data breach):

  1. Immediately remove the user from all account and property access without waiting for asset transfer.
  2. Rotate all API secrets and OAuth tokens the user had access to.
  3. Review change history for suspicious activity:
    • Unexpected filter changes
    • Data deletion or retention changes
    • Audience or conversion deletions
    • User permission changes
  4. Check data exports: Review if any data was exported to BigQuery or via API.
  5. Notify security team and Google Workspace admin immediately.
  6. Document the incident with timestamps and screenshots.
  7. Transfer asset ownership after the emergency removal.
  8. File incident report with security, compliance, and legal teams.

Troubleshooting

Cannot remove user because they're the only Administrator:

  • Add another user as Administrator first.
  • Then remove the target user.
  • Every account and property must have at least one Administrator.

User was removed but can still log in:

  • Check if they have access through a different Google account (personal vs. work email).
  • Verify they were removed from all properties and accounts, not just one.
  • Check linked products (Google Ads, BigQuery) for residual access.
  • Wait a few minutes for changes to propagate across Google systems.

Need to restore a removed user:

  • Removal is permanent; you cannot undo it.
  • Re-invite the user by going to Admin → Access Management → + and adding their email with the appropriate role.
  • Previously configured audiences and conversions remain, but you'll need to re-grant access.

User removed from Google Workspace but still has GA4 access:

  • Google Workspace removal doesn't automatically remove GA4 access.
  • Manually remove the user from GA4 Access Management.
  • Consider implementing Google Cloud Identity or SSO for automated deprovisioning.

Audiences or conversions stopped working after user removal:

  • Audiences and conversions created by a user generally continue working after removal.
  • If they stopped, check if the user was using a personal OAuth token for API integrations.
  • Recreate any broken integrations using a service account or shared credentials.

Cannot remove user from BigQuery:

  • BigQuery IAM permissions are managed separately from GA4.
  • Go to BigQuery → Project → IAM & Admin → Remove user from project permissions.
  • Remove both Viewer and Data Viewer roles.

Best Practices

  • Remove access on the same day as termination or contract end, ideally within hours.
  • Always document asset ownership before removing users to avoid broken integrations.
  • Screenshot before and after every removal for compliance documentation.
  • Run quarterly access reviews to catch stale accounts and maintain least privilege.
  • Document every removal with date, reason, approver, and assets affected.
  • Remove at the highest level (account) when removing completely to ensure no residual property access.
  • Check linked products every time you remove a GA4 user.
  • Use service accounts for integrations instead of individual user credentials to avoid disruption.
  • Maintain at least 2 Administrators for every account and property to prevent lockouts.

Common Use Cases

Employee termination

  1. Receive termination notification from HR with effective date
  2. Review user's current GA4 access at account and property levels
  3. Document all audiences, conversions, and integrations they created
  4. Transfer ownership of critical assets to their manager or designated replacement
  5. Remove user from GA4 Access Management (account and all properties)
  6. Remove from linked products: Google Ads, BigQuery, Search Console, Looker Studio
  7. Rotate any API secrets or OAuth tokens they managed
  8. Export change history for compliance
  9. Document removal with HR ticket reference
  10. Update team roster and access documentation

Agency or consultant contract ends

  1. Confirm contract end date with procurement or project manager
  2. Review which accounts, properties, and linked products they have access to
  3. Transfer ownership of audiences, conversions, and BigQuery exports to internal team
  4. Document all Google Ads links or conversion imports they configured
  5. Remove user from GA4 at account level (removes all property access)
  6. Remove from Google Ads, BigQuery, and other linked products
  7. Rotate any shared API credentials
  8. Update vendor contact list and access matrix
  9. Document removal with contract reference
  10. Conduct knowledge transfer session with internal team if needed

Role change to non-marketing role

  1. Confirm the role change with HR or manager
  2. Assess if any read-only access is needed for reporting purposes
  3. Transfer ownership of all audiences and conversions they created
  4. If no access needed: Remove user completely from all accounts and properties
  5. If read-only needed: Change role from Editor/Marketer to Viewer or Analyst
  6. Remove from Google Ads and other linked products if no longer managing campaigns
  7. Remove from marketing Slack channels or email lists
  8. Document the change with role change effective date
  9. Update team documentation and org chart

Quarterly access review cleanup

  1. Export current Access Management list from all GA4 accounts and properties
  2. Cross-reference against HR roster, Google Workspace users, and active employees
  3. Generate "last login" report from Google Workspace Admin (if available)
  4. Identify users who:
    • Left the organization
    • Haven't logged in for 90+ days
    • No longer require GA4 access based on current role
    • Have excessive permissions (Administrator when Viewer is sufficient)
  5. For each user to remove:
    • Review owned assets and transfer if needed
    • Document reason for removal
    • Remove from all accounts and properties
  6. Export updated Access Management list and compare to original
  7. Document all removals in quarterly access review report
  8. Present findings to security, compliance, or data governance team
  9. Update access review schedule for next quarter

Security incident response

  1. Security team identifies compromised credentials or suspicious GA4 activity
  2. Immediately remove the user from all accounts and properties
  3. Rotate all API secrets and OAuth tokens they had access to
  4. Review change history for unauthorized activity:
    • Filter changes that could hide data
    • Audience or conversion deletions
    • User permission escalations
    • Data retention or deletion rule changes
    • BigQuery export configuration changes
  5. Check if any data was exported via:
    • BigQuery exports
    • Data API calls
    • Looker Studio report access
    • Measurement Protocol data injection
  6. Document all suspicious activity with timestamps and screenshots
  7. Transfer asset ownership after emergency removal
  8. Report findings to:
    • Security team and CISO
    • Compliance and legal teams
    • Data privacy officer
    • Google Workspace admin
  9. Update incident response documentation
  10. Implement additional security controls (MFA, IP restrictions) if needed

Google Workspace deprovisioning

  1. User is removed from Google Workspace by IT admin
  2. Verify if GA4 access is tied to their Workspace account
  3. Manually remove user from GA4 Access Management (Workspace removal doesn't auto-remove)
  4. Check if they had a separate Google account (personal email) with GA4 access
  5. Remove from all linked products that use Google authentication
  6. Confirm user can no longer authenticate to GA4
  7. Document removal with Google Workspace change reference
  8. Audit other Workspace-provisioned GA4 accounts for accuracy
  9. Consider implementing automated deprovisioning via SSO/SAML
↑ Back to top
// SYS.FOOTER