---
title: Google Workspace user assigned administrative role
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Google Workspace user assigned
  administrative role
---

# Google Workspace user assigned administrative role
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a user is added to an administrator role on Google Workspace.

## Strategy{% #strategy %}

Monitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@usr.role` has the suffix `_ADMIN_ROLE`.

## Triage and response{% #triage-and-response %}

1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user (`{{@event.parameters.USER_EMAIL}}`) should legitimately be given the admin role.
1. If the user (`{{@event.parameters.USER_EMAIL}}`) was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.
1. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added admin (`{{@event.parameters.USER_EMAIL}}`).

## Changelog{% #changelog %}

- 17 April 2025 - Updated rule query to include case for super administrator role.