Control who can sign in to Vault

As a Google Vault administrator, you can control who in your organization sees the Vault service in their account. Just turn Vault on or off for those people in your Google Admin console. For example, you should turn Vault on for accounts who have privileges to perform Vault functions. But you might want to turn the service off for everyone else.

Before changing this setting...
  • Turning Vault on or off has no effect on which accounts can be archived by Vault. All user accounts with Vault licenses can be archived.
  • This setting has no effect on which accounts can change retention, search for data, or perform other Vault functions. Users must have appropriate Vault privileges to work with Vault.
  • If you choose ON for everyone, the Vault icon appears in everyone’s list of apps. Some users may be confused by the presence of an app that appears to be nonfunctional. If your domain has organizational units, we recommend you restrict access to users with Vault privileges.
How to change who can sign in to Vault

Before you begin: To turn the service on or off for a set of users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGoogle Vault.
  3. At the top right of the gray box, click Edit Service Compose.

  4. To apply settings to all organizations, click On for everyone or Off for everyone, and then click Save

  5. To apply settings to individual organizational units, do the following: 

    • At the left, select the organizational unit that contains the users whose settings you want to change.
    • To change the setting, select On or Off.
    • To keep the setting the same, even if the parent setting changes, click Override.
    • If the organization's status is already Overridden, choose an option:
      Inherit—Reverts to the same setting as its parent.
      Save—Saves your new setting (even if the parent setting changes).

    Learn more about the organizational structure.

Changes typically take effect in minutes, but can take up to 24 hours. For details, see Admin console settings don't update.  

If you manage a large number of users or sync your LDAP directory

You can use access groups to turn on a service for specific users within an organizational unit. You turn off the service for the organization, and then add the users to an access group that has the service turned on. This lets you give users access to services without making changes to your organizational structure. Learn about access groups.
Prevent super administrators from signing in to Vault

Super administrators automatically have full access to all G Suite services, including Vault. To prevent super administrators from signing in to Vault:

  • If your domain uses organizational units, ensure your domain’s Vault access is set to ON for some organizations, then move the super administrator accounts to an organizational unit that does not have permission to sign in to Vault.
  • Ensure super administrator accounts have no Vault privileges.

Super admins cannot change the organizational unit for their own account, so this effort requires the cooperation of at least two super administrators. Super administrators retain the ability to add access to Vault to their own organizational unit; however, this action would be reflected in your Vault audit.

Was this helpful?
How can we improve it?