Notification

Duet AI is now Gemini for Google Workspace. Learn more

Admin privileges for the investigation tool

To use the investigation tool you need to be an administrator with investigation tool privileges. Super administrators have these privileges by default, or you can add them to a custom administrator role.  

Your access to the security investigation tool

  • The security investigation tool requires a premium Google Workspace edition (Enterprise Plus, Enterprise Standard, or Education Plus).
  • You can access logs using the Chrome browser for the Google apps you have installed. For example, Gmail.
  • Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can use the audit and investigation page instead. 
  • You can run a search in the investigation tool on all users, regardless of the Google edition they have.

Add investigation tool privileges for admins

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Accountand thenAdmin roles.
  3. Point to a custom administrator role.

    Tip: If you need to create a new admin role, see Create a custom role.

  4. Click View privileges.
  5. Click Open privileges.
  6. In the Services section, click the Security Center privileges to expand them.
  7. (Optional) To give the admin complete access to the Audit and Investigation tool, check This user has full administrative rights for Audit & investigation. If not granting full access, continue to the next step.
  8. To give access only to the investigation tool:
    1. Click to expand the This user has full administrative rights for Security Center privilege.
    2. Click to expand Audit & investigation.
    3. Check the individual boxes for Audit & investigation privileges. 
      Select the top level box to add privileges for all data types or expand the privilege to select specific types of data (for example, Gmail, Drive, Device, and User):
      • View—Run queries and see the results that are returned from the query in the investigation tool. The results could contain sensitive content, such as the subject of an email or title of a document. For example, this privilege allows admins to view headers for Gmail messages.
      • Manage—Update content. For example, change the access control list (ACL) of a document or delete an email.
      • View sensitive content—View complete messages and attachments, including those that violate DLP rules (if the View sensitive content setting is ON) or are reported as inappropriate. This privilege can help admins understand any risk that might be associated with the message. You can also investigate whether a DLP rule violation is a real incident or a false positive.
  9. Click Save.

For more information about admin privileges, see Admin privileges for the security center.

Related topic

View content that triggers DLP rules (beta)

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
4386187205891715716
true
Search Help Center
true
true
true
true
true
73010
false
false