Admin Audit Activity Events - Delegated Admin Settings

This document lists the events and parameters for Delegated Admin Settings Admin Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=admin.

Delegated Admin Settings

Events of this type are returned with type=DELEGATED_ADMIN_SETTINGS.

Role Assign

Event details
Event name ASSIGN_ROLE
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

ROLE_NAME

string

The role name for this privilege that is assigned to USER_NAME. A delegated administrator's role is granted by the super administrator. See note for restrictions. Possible values:

  • _DAR_NETWORK_MANAGEMENT_ROLE
    Indirect Reseller Network Admin role value.
  • _DAR_RESOLD_CUSTOMER_MANAGEMENT_ROLE
    Indirect Reseller Resold Customer Admin role value.
  • _DIRECTORY_SYNC_ADMIN_ROLE
  • _DOMAINLESS_SUPER_ADMIN_ROLE
  • _DRIVE_TEAM_ADMIN_ROLE
  • _GOOGLE_VOICE_ADMIN_ROLE
  • _GROUPS_ADMIN_ROLE
  • _GROUPS_EDITOR_ROLE
    Display Name for Groups Editor Role in Admin Console.
  • _GROUPS_READER_ROLE
    Display Name for Groups Reader Role in Admin Console.
  • _HELP_DESK_ADMIN_ROLE
  • _LDAP_GROUP_MANAGEMENT_READONLY_ROLE
  • _LDAP_PASSWORD_REBIND_ROLE
  • _LDAP_USER_MANAGEMENT_READONLY_ROLE
  • _LEGACY_ENTERPRISE_SUPPORT_ROLE
    Legacy Enterprise Support Role value.
  • _LEGACY_RESOLD_ENTERPRISE_SUPPORT_ROLE
    Legacy Resold Enterprise Support Role value.
  • _MOBILE_ADMIN_ROLE
  • _PLAY_FOR_WORK_ADMIN_ROLE
  • _RESELLER_ADMIN_ROLE
  • _SEED_ADMIN_ROLE
  • _SERVICE_ADMIN_ROLE
  • _STORAGE_ADMIN_ROLE
  • _TEAM_ADMIN_ROLE
  • _USER_MANAGEMENT_ADMIN_ROLE
USER_EMAIL

string

The primary email address of the delegated administrator assigned the role. For more information about delegated administrator roles, see the administration help center.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ASSIGN_ROLE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Role {ROLE_NAME} assigned to user {USER_EMAIL}

Role Creation

Event details
Event name CREATE_ROLE
Parameters
ROLE_ID

string

Unique identifier for this privilege. A delegated administrator's role is granted by the super administrator. See note for restrictions.

ROLE_NAME

string

The new role name. See note for restrictions. For more information about delegated administrator roles, see the administration help center. Possible values:

  • _DAR_NETWORK_MANAGEMENT_ROLE
    Indirect Reseller Network Admin role value.
  • _DAR_RESOLD_CUSTOMER_MANAGEMENT_ROLE
    Indirect Reseller Resold Customer Admin role value.
  • _DIRECTORY_SYNC_ADMIN_ROLE
  • _DOMAINLESS_SUPER_ADMIN_ROLE
  • _DRIVE_TEAM_ADMIN_ROLE
  • _GOOGLE_VOICE_ADMIN_ROLE
  • _GROUPS_ADMIN_ROLE
  • _GROUPS_EDITOR_ROLE
    Display Name for Groups Editor Role in Admin Console.
  • _GROUPS_READER_ROLE
    Display Name for Groups Reader Role in Admin Console.
  • _HELP_DESK_ADMIN_ROLE
  • _LDAP_GROUP_MANAGEMENT_READONLY_ROLE
  • _LDAP_PASSWORD_REBIND_ROLE
  • _LDAP_USER_MANAGEMENT_READONLY_ROLE
  • _LEGACY_ENTERPRISE_SUPPORT_ROLE
    Legacy Enterprise Support Role value.
  • _LEGACY_RESOLD_ENTERPRISE_SUPPORT_ROLE
    Legacy Resold Enterprise Support Role value.
  • _MOBILE_ADMIN_ROLE
  • _PLAY_FOR_WORK_ADMIN_ROLE
  • _RESELLER_ADMIN_ROLE
  • _SEED_ADMIN_ROLE
  • _SERVICE_ADMIN_ROLE
  • _STORAGE_ADMIN_ROLE
  • _TEAM_ADMIN_ROLE
  • _USER_MANAGEMENT_ADMIN_ROLE
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=CREATE_ROLE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
New role {ROLE_NAME} created

Role Deletion

Event details
Event name DELETE_ROLE
Parameters
ROLE_ID

string

Unique identifier for this privilege. A delegated administrator's role is granted by the super administrator. See note for restrictions.

ROLE_NAME

string

The role was deleted for this ROLE_NAME. See note for restrictions. For more information about delegated administrator roles, see the administration help center. Possible values:

  • _DAR_NETWORK_MANAGEMENT_ROLE
    Indirect Reseller Network Admin role value.
  • _DAR_RESOLD_CUSTOMER_MANAGEMENT_ROLE
    Indirect Reseller Resold Customer Admin role value.
  • _DIRECTORY_SYNC_ADMIN_ROLE
  • _DOMAINLESS_SUPER_ADMIN_ROLE
  • _DRIVE_TEAM_ADMIN_ROLE
  • _GOOGLE_VOICE_ADMIN_ROLE
  • _GROUPS_ADMIN_ROLE
  • _GROUPS_EDITOR_ROLE
    Display Name for Groups Editor Role in Admin Console.
  • _GROUPS_READER_ROLE
    Display Name for Groups Reader Role in Admin Console.
  • _HELP_DESK_ADMIN_ROLE
  • _LDAP_GROUP_MANAGEMENT_READONLY_ROLE
  • _LDAP_PASSWORD_REBIND_ROLE
  • _LDAP_USER_MANAGEMENT_READONLY_ROLE
  • _LEGACY_ENTERPRISE_SUPPORT_ROLE
    Legacy Enterprise Support Role value.
  • _LEGACY_RESOLD_ENTERPRISE_SUPPORT_ROLE
    Legacy Resold Enterprise Support Role value.
  • _MOBILE_ADMIN_ROLE
  • _PLAY_FOR_WORK_ADMIN_ROLE
  • _RESELLER_ADMIN_ROLE
  • _SEED_ADMIN_ROLE
  • _SERVICE_ADMIN_ROLE
  • _STORAGE_ADMIN_ROLE
  • _TEAM_ADMIN_ROLE
  • _USER_MANAGEMENT_ADMIN_ROLE
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=DELETE_ROLE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Role {ROLE_NAME} deleted

Role Privilege Creation

Event details
Event name ADD_PRIVILEGE
Parameters
PRIVILEGE_NAME

string

The new privilege name which has been added to the ROLE_NAME. Granted to a delegated administrator by a super administrator. For more information about delegated administrator privileges, see the administration help center.

ROLE_ID

string

Unique identifier for this privilege. A delegated administrator's role is granted by the super administrator. See note for restrictions.

ROLE_NAME

string

The new PRIVILEGE_NAME added to this ROLE_NAME. See note for restrictions. Possible values:

  • _DAR_NETWORK_MANAGEMENT_ROLE
    Indirect Reseller Network Admin role value.
  • _DAR_RESOLD_CUSTOMER_MANAGEMENT_ROLE
    Indirect Reseller Resold Customer Admin role value.
  • _DIRECTORY_SYNC_ADMIN_ROLE
  • _DOMAINLESS_SUPER_ADMIN_ROLE
  • _DRIVE_TEAM_ADMIN_ROLE
  • _GOOGLE_VOICE_ADMIN_ROLE
  • _GROUPS_ADMIN_ROLE
  • _GROUPS_EDITOR_ROLE
    Display Name for Groups Editor Role in Admin Console.
  • _GROUPS_READER_ROLE
    Display Name for Groups Reader Role in Admin Console.
  • _HELP_DESK_ADMIN_ROLE
  • _LDAP_GROUP_MANAGEMENT_READONLY_ROLE
  • _LDAP_PASSWORD_REBIND_ROLE
  • _LDAP_USER_MANAGEMENT_READONLY_ROLE
  • _LEGACY_ENTERPRISE_SUPPORT_ROLE
    Legacy Enterprise Support Role value.
  • _LEGACY_RESOLD_ENTERPRISE_SUPPORT_ROLE
    Legacy Resold Enterprise Support Role value.
  • _MOBILE_ADMIN_ROLE
  • _PLAY_FOR_WORK_ADMIN_ROLE
  • _RESELLER_ADMIN_ROLE
  • _SEED_ADMIN_ROLE
  • _SERVICE_ADMIN_ROLE
  • _STORAGE_ADMIN_ROLE
  • _TEAM_ADMIN_ROLE
  • _USER_MANAGEMENT_ADMIN_ROLE
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=ADD_PRIVILEGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
New privilege {PRIVILEGE_NAME} created under role {ROLE_NAME}

Role Privilege Deletion

Event details
Event name REMOVE_PRIVILEGE
Parameters
PRIVILEGE_NAME

string

Removed this privilege name from ROLE_NAME. Granted to a delegated administrator by a super administrator. For more information about delegated administrator privileges, see the administration help center.

ROLE_ID

string

Unique identifier for this privilege. A delegated administrator's role is granted by the super administrator. See note for restrictions.

ROLE_NAME

string

The role from which the privilege was removed. See note for restrictions. Possible values:

  • _DAR_NETWORK_MANAGEMENT_ROLE
    Indirect Reseller Network Admin role value.
  • _DAR_RESOLD_CUSTOMER_MANAGEMENT_ROLE
    Indirect Reseller Resold Customer Admin role value.
  • _DIRECTORY_SYNC_ADMIN_ROLE
  • _DOMAINLESS_SUPER_ADMIN_ROLE
  • _DRIVE_TEAM_ADMIN_ROLE
  • _GOOGLE_VOICE_ADMIN_ROLE
  • _GROUPS_ADMIN_ROLE
  • _GROUPS_EDITOR_ROLE
    Display Name for Groups Editor Role in Admin Console.
  • _GROUPS_READER_ROLE
    Display Name for Groups Reader Role in Admin Console.
  • _HELP_DESK_ADMIN_ROLE
  • _LDAP_GROUP_MANAGEMENT_READONLY_ROLE
  • _LDAP_PASSWORD_REBIND_ROLE
  • _LDAP_USER_MANAGEMENT_READONLY_ROLE
  • _LEGACY_ENTERPRISE_SUPPORT_ROLE
    Legacy Enterprise Support Role value.
  • _LEGACY_RESOLD_ENTERPRISE_SUPPORT_ROLE
    Legacy Resold Enterprise Support Role value.
  • _MOBILE_ADMIN_ROLE
  • _PLAY_FOR_WORK_ADMIN_ROLE
  • _RESELLER_ADMIN_ROLE
  • _SEED_ADMIN_ROLE
  • _SERVICE_ADMIN_ROLE
  • _STORAGE_ADMIN_ROLE
  • _TEAM_ADMIN_ROLE
  • _USER_MANAGEMENT_ADMIN_ROLE
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=REMOVE_PRIVILEGE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Privilege {PRIVILEGE_NAME} removed from role {ROLE_NAME}

Role Rename

Event details
Event name RENAME_ROLE
Parameters
NEW_VALUE

string

The new role name.

ROLE_NAME

string

The old role name that is being renamed. For more information about delegated administrator privileges, see the administration help center. Possible values:

  • _DAR_NETWORK_MANAGEMENT_ROLE
    Indirect Reseller Network Admin role value.
  • _DAR_RESOLD_CUSTOMER_MANAGEMENT_ROLE
    Indirect Reseller Resold Customer Admin role value.
  • _DIRECTORY_SYNC_ADMIN_ROLE
  • _DOMAINLESS_SUPER_ADMIN_ROLE
  • _DRIVE_TEAM_ADMIN_ROLE
  • _GOOGLE_VOICE_ADMIN_ROLE
  • _GROUPS_ADMIN_ROLE
  • _GROUPS_EDITOR_ROLE
    Display Name for Groups Editor Role in Admin Console.
  • _GROUPS_READER_ROLE
    Display Name for Groups Reader Role in Admin Console.
  • _HELP_DESK_ADMIN_ROLE
  • _LDAP_GROUP_MANAGEMENT_READONLY_ROLE
  • _LDAP_PASSWORD_REBIND_ROLE
  • _LDAP_USER_MANAGEMENT_READONLY_ROLE
  • _LEGACY_ENTERPRISE_SUPPORT_ROLE
    Legacy Enterprise Support Role value.
  • _LEGACY_RESOLD_ENTERPRISE_SUPPORT_ROLE
    Legacy Resold Enterprise Support Role value.
  • _MOBILE_ADMIN_ROLE
  • _PLAY_FOR_WORK_ADMIN_ROLE
  • _RESELLER_ADMIN_ROLE
  • _SEED_ADMIN_ROLE
  • _SERVICE_ADMIN_ROLE
  • _STORAGE_ADMIN_ROLE
  • _TEAM_ADMIN_ROLE
  • _USER_MANAGEMENT_ADMIN_ROLE
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=RENAME_ROLE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Role renamed from {ROLE_NAME} to {NEW_VALUE}

Role Updated

Event details
Event name UPDATE_ROLE
Parameters
ROLE_ID

string

Unique identifier for this privilege. A delegated administrator's role is granted by the super administrator. See note for restrictions.

ROLE_NAME

string

The name of the new role to apply. For more information about delegated administrator roles, see the administration help center. Possible values:

  • _DAR_NETWORK_MANAGEMENT_ROLE
    Indirect Reseller Network Admin role value.
  • _DAR_RESOLD_CUSTOMER_MANAGEMENT_ROLE
    Indirect Reseller Resold Customer Admin role value.
  • _DIRECTORY_SYNC_ADMIN_ROLE
  • _DOMAINLESS_SUPER_ADMIN_ROLE
  • _DRIVE_TEAM_ADMIN_ROLE
  • _GOOGLE_VOICE_ADMIN_ROLE
  • _GROUPS_ADMIN_ROLE
  • _GROUPS_EDITOR_ROLE
    Display Name for Groups Editor Role in Admin Console.
  • _GROUPS_READER_ROLE
    Display Name for Groups Reader Role in Admin Console.
  • _HELP_DESK_ADMIN_ROLE
  • _LDAP_GROUP_MANAGEMENT_READONLY_ROLE
  • _LDAP_PASSWORD_REBIND_ROLE
  • _LDAP_USER_MANAGEMENT_READONLY_ROLE
  • _LEGACY_ENTERPRISE_SUPPORT_ROLE
    Legacy Enterprise Support Role value.
  • _LEGACY_RESOLD_ENTERPRISE_SUPPORT_ROLE
    Legacy Resold Enterprise Support Role value.
  • _MOBILE_ADMIN_ROLE
  • _PLAY_FOR_WORK_ADMIN_ROLE
  • _RESELLER_ADMIN_ROLE
  • _SEED_ADMIN_ROLE
  • _SERVICE_ADMIN_ROLE
  • _STORAGE_ADMIN_ROLE
  • _TEAM_ADMIN_ROLE
  • _USER_MANAGEMENT_ADMIN_ROLE
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UPDATE_ROLE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Role {ROLE_NAME} updated

Unassign Role

Event details
Event name UNASSIGN_ROLE
Parameters
ORG_UNIT_NAME

string

The organizational unit (OU) name (path).

ROLE_NAME

string

Role name that is being unassigned from USER_EMAIL. A delegated administrator's role is granted by the super administrator. See note for restrictions. Possible values:

  • _DAR_NETWORK_MANAGEMENT_ROLE
    Indirect Reseller Network Admin role value.
  • _DAR_RESOLD_CUSTOMER_MANAGEMENT_ROLE
    Indirect Reseller Resold Customer Admin role value.
  • _DIRECTORY_SYNC_ADMIN_ROLE
  • _DOMAINLESS_SUPER_ADMIN_ROLE
  • _DRIVE_TEAM_ADMIN_ROLE
  • _GOOGLE_VOICE_ADMIN_ROLE
  • _GROUPS_ADMIN_ROLE
  • _GROUPS_EDITOR_ROLE
    Display Name for Groups Editor Role in Admin Console.
  • _GROUPS_READER_ROLE
    Display Name for Groups Reader Role in Admin Console.
  • _HELP_DESK_ADMIN_ROLE
  • _LDAP_GROUP_MANAGEMENT_READONLY_ROLE
  • _LDAP_PASSWORD_REBIND_ROLE
  • _LDAP_USER_MANAGEMENT_READONLY_ROLE
  • _LEGACY_ENTERPRISE_SUPPORT_ROLE
    Legacy Enterprise Support Role value.
  • _LEGACY_RESOLD_ENTERPRISE_SUPPORT_ROLE
    Legacy Resold Enterprise Support Role value.
  • _MOBILE_ADMIN_ROLE
  • _PLAY_FOR_WORK_ADMIN_ROLE
  • _RESELLER_ADMIN_ROLE
  • _SEED_ADMIN_ROLE
  • _SERVICE_ADMIN_ROLE
  • _STORAGE_ADMIN_ROLE
  • _TEAM_ADMIN_ROLE
  • _USER_MANAGEMENT_ADMIN_ROLE
USER_EMAIL

string

The delegated administrator's primary email address. The role is being unassigned from this user. For more information about delegated administrator roles, see the administration help center.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=UNASSIGN_ROLE&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Unassigned role {ROLE_NAME} from user {USER_EMAIL}