Which administrator role has no permission to edit groups or assign users to groups?

The role of an account viewer is specifically designed for individuals who need to monitor and view data without having the ability to modify or manage configurations within the system, including user groups. This role is limited to viewing information, which means they cannot make any changes to user group assignments or the composition of those groups. This is crucial for maintaining security and integrity within the account, ensuring that only designated users can manage access permissions.

In contrast, other roles such as deployment admin and confidential data admin typically come with a broader set of permissions that encompass administrative tasks, including user and group management. The log viewer role, while focused on data access, may still include permissions beyond merely viewing, potentially impacting group assignments as well. Thus, the account viewer role effectively restricts any editing capabilities regarding user groups, making it the correct choice for the question.