Understand and grant Vault privileges

As a Vault administrator, you can allow users in your domain to perform all functions within Vault, or you can limit them to a subset of functions, such as managing matters or creating retention policies.

You should first consult with your organization's legal experts or business personnel to determine which users require which Vault privileges. Once these decisions have been made, your Google Apps administrator grants privileges in the Admin console.

Understand the 8 Vault privileges

Vault privilege What the privilege allows the user to do
Manage Matters
  • Create matters and share those matters with other users.
  • Close, reopen, and modify matters.
  • Delete and restore matters.


When you share a matter with a Vault user, ask your Google Apps administrator to assign that user at least one additional privilege related to what you want them to do or view in the matter: Manage Holds, Manage Searches, Manage Exports, or Manage Audits.

Without an additional privilege, the Vault user can see the name of the shared matter under Matters > Shared with me, but they won't be able to access it.

Depending on the scope of Vault privileges assigned to you, you may be limited to sharing matters only with members of specific organizational units and their sub-units.

Manage Holds
  • View the list of user accounts on hold.
  • Create holds.
  • Remove holds.

Note: Depending on the scope of Vault privileges assigned to you, you may be limited to creating and managing holds only for members of specific organizational units and their sub-units.

Manage Searches
  • Perform searches and counts on any content in the domain.
  • View the content of messages that are returned with search queries.
  • Create or delete saved search queries.
Manage Exports
  • View and download all exports in the domain.
  • Delete all exports in the domain.


If you want to create exports, you must have this privilege and the Manage Searches privilege.

Manage Audits
  • View audit logs.
Manage Retention Policies
  • Create and view retention rules for the domain.
  • Update retention rules for the domain.
  • Delete retention rules for the domain.
View Retention Policies
  • View all retention rules for the domain.
View All Matters
  • View all matters in the domain.

What having access to a matter means

"Access" means that a user can click the matter to open it. Giving access to a matter is a two-step process:

  1. The matter must be created by the user. Or the matter must be created by someone else and shared with the user.
  2. The user must have a least one of these Vault privileges: Manage Holds, Manage Searches, Manage Exports, or Manage Audits. The privilege that the user has determines what they do or view in the matter.

Grant privileges in the Google Apps Admin console

To grant privileges to a user, your Google Apps administrator must first create a role that includes one or more of the 8 Vault privileges. Then the administrator must assign the role to the appropriate user in your domain.

Create a role that includes Vault privileges:
  1. Sign in to your Admin console. 
  2. Click Admin Roles.
  3. Click Create a new role.
  4. In the dialog box that appears, provide a name and description for the role. For example, the name could be the privilege that the user will have.
  5. Click Create.
  6. In the Privileges tab, scroll down to the Google Apps Vault section.
  7. Click the arrow to the left of Google Apps Vault.
  8. Select the privileges that the role will include.
  9. Click Save changes.
Assign the role to a user:
  1. From the Admin console dashboard, click Users.
  2. Click the name of the user you want to assign the role to.
  3. Click Show more at the bottom of the page.
  4. Click Admin roles and privileges.
  5. Click Manage roles.
  6. Select the checkbox next to the role you want to assign.
  7. If the role is limited to Manage Exports, Manage Searches, and/or Manage Matters, you can restrict the role to specific organizational units (OUs):
    1. Under the role name, click For all organizations.
    2. Click the arrow to the left of the primary organization name.
    3. Deselect the primary organization.
    4. Select the OUs you want the role to apply to.

    Note that if you want to set OU-specific permissions in addition to general permissions, you need to create two roles, one for OU-based privileges and another for everything else. For example, if you want a user to have the "Manage Audits" privilege over the entire domain, and the "Manage Searches" privilege over only one OU, you need to create one role per privilege and assign both roles to your user.

  8. Click Update roles.

Additional notes

  • Users should have the newly assigned role within a few minutes. However, in some cases, assigning the role can take up to 24 hours.
  • You can grant privileges to multiple users at once. See Grant administrator privileges for more information.
  • Users do not need Vault licenses to have Vault privileges. Users need licenses only if their data are subject to retention policies, holds, searches, or other Vault functionalities.
Was this article helpful?