As a Google Workspace administrator, you can allow users in your organization to do all Vault tasks or only a specific subset. For example, you might allow certain users to set retention rules, and allow a different group to search and export data.
Before you give users Vault privileges, consult with your organization's legal experts or business personnel to determine which users require access to Vault tools. For some Vault privileges, such as managing searches or exports, you can restrict the privilege so that the user can work with only user data in a specific organizational unit.
Accounts with Vault privileges should be treated as sensitive because they have access and control over other users’ data in your organization.
To grant privileges to a user, you create an admin role that includes one or more Vault privileges. Then, assign the admin role to the user.
Note: You can give a user Vault privileges without giving them a Vault license. Users don’t need Vault licenses to have Vault privileges.
In this article
- Step 1: Create an admin role with Vault privileges
- Step 2: Assign Vault roles to users
- Privileges reference
- Privileges examples
- Troubleshoot Vault privileges
Step 1: Create an admin role with Vault privileges
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu AccountAdmin roles.
- Click Create a new role.
- Enter a name and description for the role. For example, the name could be the privilege that the user will have.
- Click Continue.
- Locate and expand the Google Vault section.
Tip: In the search box, enter Google Vault.
- Select privileges for the role. For more details, go to the Vault Privileges reference (later on this page).
- Click Continue.
- Review the privileges you selected then click Create Role.
Step 2: Assign Vault roles to users
You must be signed in as a super administrator for this task.
You can assign Vault roles to one user at a time, or to several users at once.
With either approach:
- Users usually get the new role within minutes, but it can take up to 24 hours.
- If the role includes only Manage Exports, Manage Searches, Manage Holds, and Manage Matters, you can restrict the scope of the role to a specific organizational unit.
For instructions, go to Assign roles.
Privileges reference
You can restrict some Vault privileges, such as managing exports, to an organizational unit. Other privileges apply to all organizational units.
Privileges examples
The following table provides a summary of privileges that you can combine as needed.
What the user wants to do | What to select |
---|---|
Search & export privileges |
|
Search data, preview results, and save queries, but not export search results | Select Manage Searches. To allow a user to search in any matter, not just matters owned by or shared with the user, also select View All Matters. |
View, download, and delete exports, but not create exports | Select Manage Exports. To allow a user to work with exports in any matter, not just matters owned by or shared with the user, also select View All Matters. |
Create exports, plus all other search and export actions | Select Manage Searches and Manage Exports. To allow a user to search and export in any matter, not just matters owned by or shared with the user, also select View All Matters. |
Create and remove holds, view lists of holds |
Select Manage Holds. To allow a user to create and remove holds in any matter, not just matters owned by or shared with the user, also select View All Matters. |
View audit logs for all matters, view and hold reports | Select Access All Logs. |
View audit logs and holds for matters they can access, view all hold reports | Select Manage Audits. |
Create, share, close, and delete matters | Select Manage Matters and at least one of the following: Manage Holds, Manage Searches, Manage Exports, or Manage Audits. |
Retention privileges |
|
View, create, edit, and delete retention rules | Select Manage Retention Policies. |
View retention rules, but not create, edit, or delete them | Select View Retention Policies. |
Troubleshoot Vault privileges
User doesn’t have any matters listed on the Matters page
If the user's admin role doesn't include the View All Matters privilege, then the user can only see matters they own and matters shared with them. The user won't see any matters if they don't own any and don't have any shared with them.
How to fix: Share matters with the user. For instructions, go to Share a matter.
User can’t open any matters
If the user's admin role has only the View All Matters privilege and no other privileges, then the user can only view the list of matters but not open them.
How to fix: You have 2 options:
- Assign the user another admin role that includes another Vault privilege.
- Edit the user's assigned admin role to include another Vault privilege.