The Google Tag Manager gives you great power to manage your website tags. You can use it to add and update tags without having to touch any code. I am working full-time with the GTM for several years as a Freelancer, consulting large multi-billion dollar companies. But with great power comes great responsibility.. or how was that?
This article is about GTM and security.
In order to avoid any misuse of the Google Tag Manager, here are my two recommendations to establish a secure environment. These I am applying on my websites and clients, and they helped me to avoid any misuse of the GTM.
- Access levels
- Publishing notifications
- Google Account
One of the main security concerns when using the GTM is the access levels. Who has access to what?
The GTM provides a granularity per container and account per user. The levels are:
Can create new containers and modify user permissions for this account as well as its containers.
Can view basic account information
Can publish container versions.
Can create container versions.
Can create workspaces and edit tags, triggers, and variables. Cannot modify user permissions.
Can view tags, triggers, and variables.
Read more about the permission levels in the Google Tag Manager Help Center.
Only the publishing level gives the permission to publish code to your production environment. Be greedy with publishing rights. The publishing rights should be given to as few people as possible. 3–2 tops.
You should carefully define the access levels for your team. Who can read, who can edit and who can publish?
If you are using the Google Analytics Tag Manager, you can receive an email notification for any publishing action on your container. But you need to activate that feature in the settings of each container.
You will find the container notifications in the Admin Section:
And there the most important option is the “A version is published”-Dropdown:
Now you will get notified when someone publishes a version to your container. That way you are always aware of what is going on within your GTM. You will also get an email for your own GTM publishes.
And the third I want to mention here is the Google Account. Since you access your GTM as well as GA via your Google Account, you should keep the access secure. Luckily Google is already taking that very seriously. But I highly recommend activating the 2-factor authentication or the Phone Login. With that, every time you login into your Google Account, you must confirm with your form as well.
With full access to the GTM you have a lot of power. Handle it by securing it.
I hope this article helps you to stay secure. If you have additional tips for securing the GTM, please share them in the comments.
Thanks for reading and happy tracking!