You can allow users in your domain to perform all functions within Vault, or you can limit them to a subset of functions, such as managing matters or creating retention policies.
You should first consult with your organization's legal experts or business personnel to determine which users require which Vault privileges. Once these decisions have been made, your Google Workspace administrator grants privileges in the Admin console.
While some privileges apply to an entire domain, others can be restricted to one or more organizational units (OUs).
Understand Vault privileges
|Vault privilege||What the privilege allows the user to do||Can be restricted to OUs|
A user must have at least one additional privilege to work with matters. Learn more.
When this privilege is restricted to an OU, only the ability to share a matter with people outside the OU is restricted.
When this privilege is restricted to an OU, only the ability to create and remove holds is restricted. People outside the OU can see holds on users in the OU.
If you want to create exports, you must have this privilege and the Manage Searches privilege.
Google Workspace super administrators don't have access to all exports. They can only work with exports they've created and those from matters that have been shared with them.
|Manage Retention Policies||
|View Retention Policies||
|View All Matters||
Before a Vault user can work with a matter, make sure:
- The matter was created by the user, the matter was created by someone else and shared with the user, or the user has the View All Matters privilege.
- The user has least one of these privileges:
- Manage Holds
- Manage Searches
- Manage Exports
- Manage Audits
Grant privileges in the Google Admin console
To grant privileges to a user, your Google Workspace administrator must first create a role that includes one or more of the 8 Vault privileges. Then the administrator must assign the role to the appropriate user in your domain.Create a role that includes Vault privileges:
- Sign in to your Admin console.
- Click Admin Roles.
- Click Create a new role.
- In the dialog box that appears, provide a name and description for the role. For example, the name could be the privilege that the user will have.
- Click Create.
- In the Privileges tab, scroll down to the Google Vault section.
- Click the arrow to the left of Google Vault.
- Select the privileges that the role will include.
- Click Save changes.
- From the Admin console dashboard, click Users.
- Click the name of the user you want to assign the role to.
- Click Show more at the bottom of the page.
- Click Admin roles and privileges.
- Click Manage roles.
- Select the checkbox next to the role you want to assign.
- If the role is limited to Manage Exports, Manage Searches, Manage Holds, and/or Manage Matters, you can restrict the role to specific organizational units:
- Under the role name, click For all organizations.
- Click the arrow to the left of the primary organization name.
- Deselect the primary organization.
- Select the OUs you want the role to apply to.
Note that if you want to set OU-specific permissions in addition to general permissions, you need to create two roles, one for OU-based privileges and another for everything else. For example, if you want a user to have the "Manage Audits" privilege over the entire domain, and the "Manage Searches" privilege over only one OU, you need to create one role per privilege and assign both roles to your user.
- Click Update roles.
- Users should have the newly assigned role within a few minutes. However, in some cases, assigning the role can take up to 24 hours.
- You can grant privileges to multiple users at once. See Grant administrator privileges for more information.
- Users do not need Vault licenses to have Vault privileges. Users need licenses only if their data are subject to retention policies, holds, searches, or other Vault functionalities.