First admin
The first admin is normally granted by the deployment operator or by the One-Command Install bootstrap script. If you need to grant it manually, use the admin helper:administrative_principal record and records the grant in the audit log.
Grant and revoke principals
Admins can list, grant, and revoke administrative principals through the admin API.admin, auditor, billing_admin, and support.
Read audit events
Auditors and admins can list audit events:action, actorUserId, resourceType, and before filters to narrow results.
Manage budgets
Admins andbilling_admin can read usage and adjust budgets:
administration.budget.adjust audit events.
Checklist
Before handing the deployment to end users:- The first admin is granted and has signed in.
- Additional admin roles are granted and documented.
- Audit logging is enabled and reachable.
- Usage and budget controls are understood by the finance/IT contact.
- The Enterprise Security Launch Checklist is complete.