Google Tag Manager

How to make your Google Tag Manager secure? GTM Tip!

Phone/Lock/Safe. Attribution is appreciated. Please link to . Use this image for free.

The Google Tag Manager gives you great power to manage your website tags. You can use it to add and update tags without having to touch any code. I am working full-time with the GTM for several years as a Freelancer, consulting large multi-billion dollar companies. But with great power comes great responsibility.. or how was that?

The thing is, using the GTM you can not just add, change and remove JavaScript code anytime just within minutes. You can also add malware or other malicious code to websites. Or just crashing your client’s website. The GTM is a great tool, but it can also be used for evil.

This article is about GTM and security.

In order to avoid any misuse of the Google Tag Manager, here are my two recommendations to establish a secure environment. These I am applying on my websites and clients, and they helped me to avoid any misuse of the GTM.

  1. Access levels
  2. Publishing notifications
  3. Google Account

Access levels

One of the main security concerns when using the GTM is the access levels. Who has access to what?

The GTM provides a granularity per container and account per user. The levels are:

Account permissions

  • Admin
    Can create new containers and modify user permissions for this account as well as its containers.
  • User
    Can view basic account information

Container permissions

  • Publish
    Can publish container versions.
  • Approve
    Can create container versions.
  • Edit
    Can create workspaces and edit tags, triggers, and variables. Cannot modify user permissions.
  • Read
    Can view tags, triggers, and variables.

Read more about the permission levels in the Google Tag Manager Help Center.

Only the publishing level gives ​the permission to publish code to your production environment. Be greedy with publishing rights. The publishing rights should be given to as few people as possible. 3–2 tops.

You should carefully define the access levels for your team. Who can read, who can edit and who can publish?

Publishing notifications

If you are using the Google Analytics Tag Manager, you can receive an email notification for any publishing action on your container. But you need to activate that feature in the settings of each container.

You will find the container notifications in the Admin Section:

And there the most important option is the “A version is published”-Dropdown:

Now you will get notified when someone publishes a version to your container. That way you are always aware of what is going on within your GTM. You will also get an email for your own GTM publishes.

Google Account

And the third I want to mention here is the Google Account. Since you access your GTM as well as GA via your Google Account, you should keep the access secure. Luckily Google is already taking that very seriously. But I highly recommend activating the 2-factor authentication or the Phone Login. With that, every time you login into your Google Account, you must confirm with your form as well.


With full access to the GTM you have a lot of power. Handle it by securing it.

I hope this article helps you to stay secure. If you have additional tips for securing the GTM, please share them in the comments.

Thanks for reading and happy tracking!

Leave a Reply