How to Automate Google Tag Manager User Access with Workspace Groups
By Sophie van Es · April 2026 · 6 min read
How to Automate Google Tag Manager User Access with Workspace Groups
By Sophie van Es | April 2026 | 6 min read
TL;DR: Google Tag Manager has no native support for group-based user access. Every developer, agency partner, and marketer is added to each container individually — and removed the same way (if anyone remembers). By connecting your Workspace groups to GTM container roles, you can automate provisioning, eliminate stale access, and stop toggling between admin consoles.
Why GTM User Management Gets Messy
Google Tag Manager is powerful. Its permission model is not.
GTM organizes access at two levels: accounts and containers. Each container holds the tags, triggers, and variables for a specific website or app. And each user is granted a permission level per container — individually, by email address.
For a team of five, that is fine. For a team of twenty-five with three agency partners and a rotating cast of contractors, it becomes a problem:
- No group-based access. GTM has no concept of teams or groups. You cannot say "everyone in the Frontend Developers group gets Edit access to this container." You add each person one by one.
- Four permission levels per container. Read, Edit, Approve, and Publish — each one granted individually per user per container. Multiply that across ten containers and you are managing hundreds of individual permission assignments.
- Contractor access accumulates. An agency finishes a project but keeps Publish access to your production container. Nobody audits it because GTM does not surface stale permissions or send expiry reminders.
- No audit trail for access changes. GTM logs tag changes, but not who was granted or revoked access and when. If your security team asks "who has Publish rights to our production container?" the answer requires a manual check.
If your organization uses Google Workspace and Google Tag Manager, you already have the building blocks to solve this. The missing piece is the connection between them.
GTM Permissions Explained
Before automating anything, here is what GTM supports at the container level:
| Permission | What they can do |
|---|---|
| Read | View tags, triggers, and variables. Cannot make changes. |
| Edit | Create, modify, and delete tags, triggers, and variables. Cannot publish. |
| Approve | Everything Edit can do, plus approve workspaces for publishing. |
| Publish | Full rights: edit, approve, and publish changes to the live container. |
Most organizations map these to job functions. Your QA team gets Read. Your developers get Edit. Your tag management lead gets Approve or Publish. External agencies might get Edit for implementation work but should not have Publish rights on your production container.
The problem is that these mappings exist in someone's head — not in a system. When team composition changes, the mappings drift.
The Workspace Groups Approach
Google Workspace groups are already your source of truth for team membership. Your IT admin manages them in Google Admin. They reflect who is on which team, right now.
The idea is simple: use those same groups to control GTM access.
Instead of adding individual users to each container, you map a group to a container and permission level:
frontend-devs@yourcompany.com→ Container "Main Website" → Editanalytics-team@yourcompany.com→ Container "Main Website" → Readtag-leads@yourcompany.com→ Container "Main Website" → Publish
When someone joins the frontend-devs group, they automatically get Edit access to the Main Website container. When they leave, it is revoked. No manual step. No forgotten permission.
This works because team membership changes happen in one place (Workspace) and propagate to every connected system.
How RoleFlow Implements This
RoleFlow is the bridge between your Workspace groups and GTM containers.
Connect GTM via OAuth
Sign in with your Google account and authorize RoleFlow to manage user access in your GTM account. This uses standard OAuth — no service accounts, no domain-wide delegation, no JSON keys to manage or rotate.
Map groups to containers
In RoleFlow, you create a mapping:
- Select a Workspace group (e.g.,
frontend-devs@yourcompany.com) - Select a GTM container (e.g., "Main Website")
- Choose the permission level (Read, Edit, Approve, or Publish)
That is the entire setup. One mapping, one time.
Automatic sync
On the Business plan, RoleFlow checks your group memberships every hour and applies changes across all connected containers. A developer joins the team on Monday morning — they have Edit access before the standup call.
On the Free plan, you trigger the sync manually from the dashboard whenever you need it.
Audit log
Every access change is logged with a timestamp: who was added, who was removed, which container, which permission level. Your security team can pull this at any time — no manual container-by-container audit required.
Real Scenario: Onboarding a New Developer
Before RoleFlow:
- New developer joins the frontend team
- IT admin gets a ticket to grant GTM access
- Admin opens GTM, navigates to Account → User Management
- Adds the developer's email to Container 1 with Edit access
- Repeats for Container 2, Container 3, and the staging container
- Developer waits 1-2 days for access, asks in Slack "can someone add me to GTM?"
- Three months later the developer moves to a different team — but nobody revokes their GTM Publish access
With RoleFlow:
- New developer is added to the
frontend-devsWorkspace group (standard onboarding) - Within one hour, RoleFlow syncs the group and grants Edit access to all mapped containers
- Developer has GTM access before they finish their first onboarding call
- When the developer moves teams and is removed from the group, access is automatically revoked on the next sync
No tickets. No manual steps. No stale permissions.
What About Agencies and Contractors?
External partners are where GTM access management gets most dangerous. They need access for a project but should not keep it forever.
With RoleFlow, you create a Workspace group for each agency engagement (e.g., agency-projectx@yourcompany.com) and map it to the relevant containers with the appropriate permission level. When the project ends, remove the group members or delete the group — access is revoked everywhere on the next sync.
This is especially important for Publish access. A contractor with stale Publish rights can push changes to your production container months after their engagement ended. Group-based access makes the offboarding automatic.
Getting Started
RoleFlow works with any Google Workspace organization and any GTM account you have admin access to.
- Sign in at app.roleflow.eu with your Google Workspace account
- Connect your GTM account via OAuth
- Map your first group to a container and permission level
- Sync — manually on Free, automatically every hour on Business
The Free plan supports one group mapping and covers GTM, GA4, and Google Ads. The Business plan (EUR 49/month) removes the limit and adds automatic hourly sync plus an audit log.
No credit card required to start.
Further Reading
- How to Manage GA4 User Access with Google Workspace Groups — the same approach applied to Google Analytics 4
- RoleFlow Pricing — compare Free and Business plans