As an administrator, you can set up rules in the Google Admin console. To configure a rule, you set up conditions for the rule, and specify what actions to perform when the conditions are met.
There are several types of rules on the Rules page, including reporting rules, activity rules, data protection rules, and system defined rules.
Whether you have the ability to create reporting rules vs. activity rules depends on your Google Workspace edition, your administrative privileges, and the data source. For more information, go to the sections below.
For general instructions about creating and viewing rules, go to Create and manage rules from the Rules page and Create and manage activity rules.
Access to reporting rules
Reporting rules are custom rules created by administrators from the audit and investigation page or from the Rules page. You can use these rules to create and manage custom alerts based on your organization’s log event data (previously called audit logs).
In general, administrators with non-premium editions such as Business Starter, Business Standard, and Education Standard have the ability to create and view reporting rules, and don't have access to activity rules. To create or view reporting rules, admins also need the Reports privilege (for more information, go to Administrator privilege definitions).
- If you're a delegated admin with a premium edition (for example, Enterprise Plus), you can only create reporting rules when you don't have sufficient administrative privileges to create an activity rule for a given data source.
- Super Admins have access to view and modify reporting rules created by delegated admins in their domain.
- You can create reporting rules through all log-event data sources except for Gmail logs events.
For more details about reporting rules, see Create and manage reporting rules.
Access to activity rules
Activity rules are more advanced rules created by administrators from the security investigation tool or from the Rules page. With these rules, you can set up alerts and automate actions that happen in response to activity within your domain.
For more details about activity rules, see Create and manage activity rules.Privileges needed for creating and viewing activity rules
To create or view activity rules, admins need the following privileges:
- Services > Security Center > Activity Rules > View
- Services > Security Center > Activity Rules > Manage
Admins can be assigned full access for creating activity rules for all data sources, or they can be assigned granular access for specific data sources. To set privileges for specific data sources, go to:
- Services > Security Center > This user has full administrative rights for Security Center > Data source > View metadata and attributes
For more details about setting admin privileges for creating and viewing activity rules, go to Admin privileges for the investigation tool.
For details about which Google editions provide access to activity rules, see the table below.
- Super Admins with premium editionssuch as Enterprise Plus have the ability to create and view activity rules, but are unable to create reporting rules. However, the same Super Admins have access to view and modify reporting rules created by delegated admins in their domain.
- A delegated admin can create an activity rule for a given data source only if they have the necessary administrative privileges for that data source. A delegated admin with a premium edition (for example, Enterprise Plus) can only create reporting rules for a given data source when they don't have the required admin privileges for that data source.
- You can't create activity rules based on live-state data sources such as Chrome browsers, Devices, Gmail messages, and Users. You can only create activity rules based on log-event data sources—for example, Gmail log events or Device log events.
|Google Workspace edition||Activity rule access|
|Enterprise Plus, Enterprise Essentials Plus||
Admins have access to activity rules for all log-event data sources for which they have the necessary admin privileges*
|Education Plus||Admins have access to activity rules for all log-event data sources for which they have the necessary admin privileges*|
Cloud Identity Premium, Enterprise Standard
Admins have access to activity rules for the following data sources if they have the necessary admin privileges*:
|Business Starter, Business Standard, Business Plus, Education Fundamentals, Education Standard, Enterprise Essentials||No access to activity rules|
* Access to a data source for creating activity rules depends on your Google Workspace editionand your administrative privileges for specific features in the Google Admin console.
Access to both reporting rules & activity rules
Some administrators can create and view both reporting rules and activity rules depending on the data source. For example, an admin with a Cloud Identity Premium license can create activity rules using some data sources, and reporting rules using other data sources.
For more details, see the above section: Google Workspace editions with access to activity rules.