In G Suite, two settings control a person's access: the account's assigned organizational unit and the account's privileges. The organizational unit determines which services a person may access, while the account's privileges determine which administrative settings a person may change.
Every G Suite account belongs to one organizational unit and all accounts connect to a single organizational unit, initially. Because of this, every account accesses the same set of apps. An administrator creates a new organizational unit to provide access to different services for different groups. For example, a school may create “faculty”, “staff”, and “student”; organizational units, in order to provide each group access to different sets of G Suite services.
Each person's account also receives privileges assigned by an administrator. To simplify management, Google provides several "pre-built" collections of privileges in the form of administrative Roles. (An administrator also may create new roles as needed.) An administrator may assign multiple administrative roles to an account.
In some cases, it helps to restrict an administrative role to a specific organizational unit. For example, a person might be assigned the "User Management Admin" role for the "Staff" organizational unit. The person could create or delete user accounts in the "Staff" organizational unit only; they would not be able to create or delete user accounts for "Faculty" or "Students". This ability to configure and delegate administrative privileges for an organizational unit allows G Suite to scale to serve the needs of a large organization.
If you’re looking to learn even more about organizational units and permissions in G Suite, check out our recent eBook. With this eBook, you can work smarter, not harder. The guide offers tips on how to delegate permissions to users, control access, improve efficiency, and simplify time-consuming tasks. Download it today and boost your productivity!