Control who can sign in to Vault
As a Google Vault administrator, you can control who in your organization sees the Vault service in their account. Just turn Vault on or off for those people in your Google Admin console. For example, you should turn Vault on for accounts who have privileges to perform Vault functions. But you might want to turn the service off for everyone else.Before changing this setting...
- Turning Vault on or off has no effect on which accounts can be archived by Vault. All user accounts with Vault licenses can be archived.
- This setting has no effect on which accounts can change retention, search for data, or perform other Vault functions. Users must have appropriate Vault privileges to work with Vault.
- If you choose ON for everyone, the Vault icon appears in everyone’s list of apps. Some users may be confused by the presence of an app that appears to be nonfunctional. If your domain has organizational units, we recommend you restrict access to users with Vault privileges.
Before you begin: To turn the service on or off for select groups of users, put their accounts in an organizational unit.
- From the Admin console Home page, go to AppsG SuiteGoogle Vault.
At the top right of the gray box, click Edit Service .
At the left, the top-level organization and any organizational units appear.
To apply settings to all organizations, click On for everyone or Off for everyone, and then click Save.
To apply settings to individual organizational units, do the following:
- At the left, select the organizational unit that contains the users whose settings you want to change.
- Select On or Off to change the setting.
- Click Override to keep the setting the same, even if the parent setting changes.
- If the organization's status is already Overridden, choose an option:
Inherit—Reverts to the same setting as its parent.
Save—Saves your new setting (even if the parent setting changes).
Learn more about the organizational structure.
Super administrators automatically have full access to all G Suite services, including Vault. To prevent super administrators from signing in to Vault:
- If your domain uses organizational units, ensure your domain’s Vault access is set to ON for some organizations, then move the super administrator accounts to an organizational unit that does not have permission to sign in to Vault.
- Ensure super administrator accounts have no Vault privileges.
Super admins cannot change the organizational unit for their own account, so this effort requires the cooperation of at least two super administrators. Super administrators retain the ability to add access to Vault to their own organizational unit; however, this action would be reflected in your Vault audit.