Control who can sign in to Vault

As a Google Vault administrator, you can control who in your organization sees the Vault service in their account. Just turn Vault on or off for those people in your Google Admin console. For example, you should turn Vault on for accounts who have privileges to perform Vault functions. But you might want to turn the service off for everyone else.

Before changing this setting...
  • Turning Vault on or off has no effect on which accounts can be archived by Vault. All user accounts with Vault licenses can be archived.
  • This setting has no effect on which accounts can change retention, search for data, or perform other Vault functions. Users must have appropriate Vault privileges to work with Vault.
  • If you choose ON for everyone, the Vault icon appears in everyone’s list of apps. Some users may be confused by the presence of an app that appears to be nonfunctional. If your domain has organizational units, we recommend you restrict access to users with Vault privileges.
How to change who can sign in to Vault

Before you begin: To turn the service on or off for select groups of users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGoogle Vault.
  3. At the top of the gray box, click More Settingsand choose:
    • On for everyone to turn on the service for all users (click again to confirm).
    • Off for everyone to turn off the service for all users (click again to confirm).
    • On for some organizations to change the setting only for some users.
  4. If you chose On for some organizations:
    1. In the left panel, select Settings for specific organizational units.
    2. Select the organization that contains the users whose settings you want to change.
    3. Select On or Off  to change the setting.
    4. Click Override to keep the setting the same, even if the parent setting changes.
    5. If the organization's status is already Overridden, choose an option:
      • Inherit—Reverts to the same setting as its parent.
      • Save—Saves your new setting (even if the parent setting changes).

    Learn more about the organizational structure.

Changes typically take effect in minutes, but can take up to 24 hours. For details, see Admin console settings don't update.  
Prevent super administrators from signing in to Vault

Super administrators automatically have full access to all G Suite services, including Vault. To prevent super administrators from signing in to Vault:

  • If your domain uses organizational units, ensure your domain’s Vault access is set to ON for some organizations, then move the super administrator accounts to an organizational unit that does not have permission to sign in to Vault.
  • Ensure super administrator accounts have no Vault privileges.

Super admins cannot change the organizational unit for their own account, so this effort requires the cooperation of at least two super administrators. Super administrators retain the ability to add access to Vault to their own organizational unit; however, this action would be reflected in your Vault audit.

Was this article helpful?
How can we improve it?