CSM

Grant Client GA4 Access

Needs review — This SOP contains our content but has not been verified by Nick. Treat as a working draft until marked Live.

SOP: Grant Client Access to Their GA4 + GSC

Last Updated: 2026-04-21 Version: 1.0 Tier: Onboarding — Client Transparency

Purpose

Clients should be able to see their own data. Granting them read-only access to GA4 and GSC during onboarding does three things:

Builds trust — they see what Tekton sees, nothing hidden
Lets them answer their own “did my ads work?” questions between our monthly reports
Documents the engagement start date cleanly (they see day 0 in their own dashboard)

What we DON’T do: grant Admin or Editor access. They get Viewer/Analyst only — read plus standard GA4 analysis features, but zero configuration powers. We own the property; they see the data.

When to Run: During onboarding, after the site is live and tracking is verified (Site Launch Gate complete) Owner: CSM Timeline: 5 minutes

What You Need Before Starting

Client’s Google account email — the one they’ll log in with. Ask specifically: “What Gmail address do you want to use for Google Analytics and Search Console?” If they give you a business email like info@acme.com, confirm that’s set up as a Google account (Gmail or Google Workspace). If not, have them create one or use a personal Gmail.
The client’s GA4 property is created (should be — from /gsc-verify onboarding)
The client’s GSC property is verified (should be — from /gsc-verify onboarding)

Step 1: Grant GA4 Access (Viewer)

Go to https://analytics.google.com logged in as nick@tektongrowth.com
Open the client’s property (use the property picker top-left)
Admin → Property access management
Click + (top right) → Add users
Enter the client’s email
Permissions: check Viewer
Leave the email notification box on (Google emails them a notice)
Click Add

What the client now has:

Read-only access to all GA4 reports (Realtime, Acquisition, Engagement, Monetization, Retention)
Cannot change property settings, event configs, or data streams
Cannot grant access to other users

Step 2: Grant GSC Access (Restricted / Full User — NOT Owner)

Go to https://search.google.com/search-console logged in as nick@tektongrowth.com
Open the client’s property
Settings (gear, left nav bottom) → Users and permissions
Click Add user
Enter the client’s email
Permission: Full User (NOT Owner)
Click Add

Why Full User and not Restricted: Restricted can’t see security issues or request indexing. Full User gives them useful visibility without granting property-level admin powers (Owner would let them remove us).

Why NOT Owner: Owner access would let the client remove Tekton and the seo-brain service account. We never give clients Owner access on any property we manage.

Step 3: Confirm Access via Welcome Email

After granting both, send this short welcome email (templated in GHL as “GA4 + GSC Access Granted”):

Hi [First Name],

You now have viewer access to your Google Analytics 4 and Google
Search Console properties. You'll get separate confirmation emails
from Google with direct links.

Quick bookmarks to save:
- Analytics: https://analytics.google.com
- Search Console: https://search.google.com/search-console

You'll see data starting [Launch Date]. First reports take 24-48
hours to populate fully, and organic search numbers take 2-4 weeks
to become meaningful as Google indexes the site.

We'll walk through it together on your monthly review call. In the
meantime, poke around — you can't break anything from a Viewer
account.

— [Your Name]

Step 4: Document in `clients.json`

Update the client’s entry in /Users/nick/Projects/seo-ops-skills/clients.json:

"client-slug": {
  ...,
  "clientGoogleEmail": "jane@acmehardscapes.com",
  "gscAccessGranted": "2026-04-21",
  "ga4AccessGranted": "2026-04-21"
}

This matters for audit trails — in 6 months when Jane emails saying “I lost access,” we can see when it was granted and to which email.

Revoking Access (when a client offboards)

When a client offboards (see csm/offboarding.md):

GA4 → Admin → Property access management → find the client’s email → Remove
GSC → Settings → Users and permissions → find the email → Remove
If they want a copy of their data first, export it as CSVs before removing access (see offboarding SOP for the exports)
Update clients.json: add gscAccessRevoked + ga4AccessRevoked timestamps

Edge Cases

Client wants their own GA4 account, not ours

Some larger clients (rare for Tekton) prefer to own their own Google Analytics setup. In that case:

They create a GA4 property in their own account
They add seo-brain@core-depth-472801-t2.iam.gserviceaccount.com as Editor on their property (same flow, different direction)
They add us (nick@tektongrowth.com) as Editor so we can configure events
Site config points at their measurement ID, not ours

Document this case clearly in clients.json: set ga4Owner: "client" so future monthly audits know the lead data lives in their account.

Client gives us a shared email like `marketing@acmehardscapes.com`

Fine, but note: if multiple people use that inbox, they all get Viewer access to GA4 by extension. Confirm with the primary contact that’s OK.

Client doesn’t have a Google account

Ask them to create one:

Gmail (personal, free): accounts.google.com/signup
Google Workspace (business, if they don’t have email infra): workspace.google.com

Either works. Don’t create an account for them — it becomes our problem if they forget the password.

Version Control

v1.0 (2026-04-21): Initial SOP. Standard CSM flow for granting clients view-only access to their GA4 + GSC properties during onboarding.