Understand and grant Vault privileges

You can allow users in your domain to perform all functions within Vault, or you can limit them to a subset of functions, such as managing matters or creating retention policies.

You should first consult with your organization's legal experts or business personnel to determine which users require which Vault privileges. Once these decisions have been made, your Google Workspace administrator grants privileges in the Admin console.

While some privileges apply to an entire domain, others can be restricted to one or more organizational units (OUs). 

Understand Vault privileges

Vault privilege What the privilege allows the user to do Can be restricted to OUs
Manage Matters
  • Create matters and share those matters with other users.
  • Close, reopen, and modify matters.
  • Delete and restore matters.


A user must have at least one additional privilege to work with matters. Learn more

When this privilege is restricted to an OU, only the ability to share a matter with people outside the OU is restricted. 

Manage Holds
  • View the list of user accounts on hold.
  • Create holds.
  • Remove holds.


When this privilege is restricted to an OU, only the ability to create and remove holds is restricted. People outside the OU can see holds on users in the OU. 

Manage Searches
  • Perform searches and counts on data.
  • View the contents of messages and files that are returned with search queries.
  • Create or delete saved search queries.
Manage Exports
  • View and download exports.
  • Delete all exports.


If you want to create exports, you must have this privilege and the Manage Searches privilege.

Google Workspace super administrators don't have access to all exports. They can only work with exports they've created and those from matters that have been shared with them.

Manage Audits
  • View audit logs for matters that were created by or shared with the user.
  • View all hold reports.
  • View holds in matters that the user has access to.
Red X
Manage Retention Policies
  • Create and view retention rules for the domain.
  • Update retention rules for the domain.
  • Delete retention rules for the domain.
Red X
View Retention Policies
  • View all retention rules for the domain.
Red X
View All Matters
  • View all matters in the domain.
Red X

Privileges required to work with a matter

Before a Vault user can work with a matter, make sure:

  1. The matter was created by the user, the matter was created by someone else and shared with the user, or the user has the View All Matters privilege.
  2. The user has least one of these privileges:
    • Manage Holds
    • Manage Searches
    • Manage Exports 
    • Manage Audits
    Without at least one additional privilege, the user can see the name of the matter but can't open it. Ask your Google Workspace administrator to assign the required privileges.

Grant privileges in the Google Admin console

To grant privileges to a user, your Google Workspace administrator must first create a role that includes one or more of the 8 Vault privileges. Then the administrator must assign the role to the appropriate user in your domain.

Create a role that includes Vault privileges:
  1. Sign in to your Admin console. 
  2. Click Admin Roles.
  3. Click Create a new role.
  4. In the dialog box that appears, provide a name and description for the role. For example, the name could be the privilege that the user will have.
  5. Click Create.
  6. In the Privileges tab, scroll down to the Google Vault section.
  7. Click the arrow to the left of Google Vault.
  8. Select the privileges that the role will include.
  9. Click Save changes.
Assign the role to a user:
  1. From the Admin console dashboard, click Users.
  2. Click the name of the user you want to assign the role to.
  3. Click Show more at the bottom of the page.
  4. Click Admin roles and privileges.
  5. Click Manage roles.
  6. Select the checkbox next to the role you want to assign.
  7. If the role is limited to Manage Exports, Manage Searches, Manage Holds, and/or Manage Matters, you can restrict the role to specific organizational units:
    1. Under the role name, click For all organizations.
    2. Click the arrow to the left of the primary organization name.
    3. Deselect the primary organization.
    4. Select the OUs you want the role to apply to.

    Note that if you want to set OU-specific permissions in addition to general permissions, you need to create two roles, one for OU-based privileges and another for everything else. For example, if you want a user to have the "Manage Audits" privilege over the entire domain, and the "Manage Searches" privilege over only one OU, you need to create one role per privilege and assign both roles to your user.

  8. Click Update roles.

Additional notes

  • Users should have the newly assigned role within a few minutes. However, in some cases, assigning the role can take up to 24 hours.
  • You can grant privileges to multiple users at once. See Grant administrator privileges for more information.
  • Users do not need Vault licenses to have Vault privileges. Users need licenses only if their data are subject to retention policies, holds, searches, or other Vault functionalities.
Was this helpful?
How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center