Understand and grant Vault privileges
As a Vault administrator, you can allow users in your domain to perform all functions within Vault, or you can limit them to a subset of functions, such as managing matters or creating retention policies.
You should first consult with your organization's legal experts or business personnel to determine which users require which Vault privileges. Once these decisions have been made, your G Suite administrator grants privileges in the Admin console.
Understand the 8 Vault privileges
|Vault privilege||What the privilege allows the user to do|
When you share a matter with a Vault user, ask your G Suite administrator to assign that user at least one additional privilege related to what you want them to do or view in the matter: Manage Holds, Manage Searches, Manage Exports, or Manage Audits.
Without an additional privilege, the Vault user can see the name of the shared matter under Matters > Shared with me, but they won't be able to access it.
Depending on the scope of Vault privileges assigned to you, you may be limited to sharing matters only with members of specific organizational units and their sub-units.
Note: Depending on the scope of Vault privileges assigned to you, you may be limited to creating and managing holds only for members of specific organizational units and their sub-units.
If you want to create exports, you must have this privilege and the Manage Searches privilege.
|Manage Retention Policies||
|View Retention Policies||
|View All Matters||
What having access to a matter means
"Access" means that a user can click the matter to open it. Giving access to a matter is a two-step process:
- The matter must be created by the user. Or the matter must be created by someone else and shared with the user.
- The user must have a least one of these Vault privileges: Manage Holds, Manage Searches, Manage Exports, or Manage Audits. The privilege that the user has determines what they do or view in the matter.
Grant privileges in the Google Admin console
To grant privileges to a user, your G Suite administrator must first create a role that includes one or more of the 8 Vault privileges. Then the administrator must assign the role to the appropriate user in your domain.Create a role that includes Vault privileges:
- Sign in to your Admin console.
- Click Admin Roles.
- Click Create a new role.
- In the dialog box that appears, provide a name and description for the role. For example, the name could be the privilege that the user will have.
- Click Create.
- In the Privileges tab, scroll down to the Google Vault section.
- Click the arrow to the left of Google Vault.
- Select the privileges that the role will include.
- Click Save changes.
- From the Admin console dashboard, click Users.
- Click the name of the user you want to assign the role to.
- Click Show more at the bottom of the page.
- Click Admin roles and privileges.
- Click Manage roles.
- Select the checkbox next to the role you want to assign.
- If the role is limited to Manage Exports, Manage Searches, and/or Manage Matters, you can restrict the role to specific organizational units (OUs):
- Under the role name, click For all organizations.
- Click the arrow to the left of the primary organization name.
- Deselect the primary organization.
- Select the OUs you want the role to apply to.
Note that if you want to set OU-specific permissions in addition to general permissions, you need to create two roles, one for OU-based privileges and another for everything else. For example, if you want a user to have the "Manage Audits" privilege over the entire domain, and the "Manage Searches" privilege over only one OU, you need to create one role per privilege and assign both roles to your user.
- Click Update roles.
- Users should have the newly assigned role within a few minutes. However, in some cases, assigning the role can take up to 24 hours.
- You can grant privileges to multiple users at once. See Grant administrator privileges for more information.
- Users do not need Vault licenses to have Vault privileges. Users need licenses only if their data are subject to retention policies, holds, searches, or other Vault functionalities.