Permissions and Vault Privileges

As a Google Workspace administrator, you can allow users in your organization to do all Vault tasks or only a specific subset. For example, you might allow certain users to set retention rules, and allow a different group to search and export data.

You can give a user Vault privileges without giving them a Vault license. Users don’t need Vault licenses to have Vault privileges.

Create an admin role with Vault privileges

You must be signed in as a super administrator for this.

1. Sign in with a super administrator account to the Google Admin console.
   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to Menu  Account > Admin roles.

3. Click Create a new role.

4. Enter a name and description for the role. For example, the name could be the privilege that the user will have.

5. Click Continue

6. Locate and expand the Google Vault section.
   Tip: In the search box, enter Google Vault.

7. Select privileges for the role. For more details, go to the Vault Privileges reference.

8. Click Continue.

9. Review the privileges you selected, then click Create Role.

Assign Vault roles to users

You must be signed in as a super administrator for this task.

You can assign Vault roles to one user at a time or to several users at once.

With either approach:

• Users usually get the new role within minutes, but it can take up to 24 hours.

• If the role includes only Manage Exports, Manage Searches, Manage Holds, and Manage Matters, you can restrict the scope of the role to a specific organizational unit.

Allow an external user to access Vault

Your organization can grant Vault access to external users, such as the members of a regulatory agency, to comply with an investigation or audit. Your Google Workspace administrator must first add these users to your organization in the Admin console and give them privileges to search in Vault, view reports, or perform other tasks. 

To grant access and assign Vault privileges to external users:

1. Sign in to the Admin console.

2. Create a new organizational unit for external users.

3. Turn services on or off (for example, Gmail) for this organizational unit as required.

4. Add external users to this organizational unit.
   For example, if you want sarah@solarmora.com, an external investigator, to access Vault, you can add her as sarah-solarmora@your_domain.com.
   Note: If you're using Directory Sync to manage your users, you must add external users to your LDAP directory or to Directory Sync so that they aren't automatically removed during synchronization.

5. Create a new admin role with the required Vault privileges.

6. Assign the admin role to external users as needed.

These external users do not require a Vault license.

To help external users get started in Vault:

1. Get usernames and passwords from the Google Workspace administrator (created in step 4 above). External users enter these sign-in credentials to access Vault.

2. Give these credentials to external users.

3. Tell these users where to sign in to Vault.