Control who can sign in to Vault
As a Google Vault administrator, you can control who in your organization sees the Vault service in their account. Just turn Vault on or off for those people in your Google Admin console. For example, you should turn Vault on for accounts who have privileges to perform Vault functions. But you might want to turn the service off for everyone else.Before changing this setting...
- Turning Vault on or off has no effect on which accounts can be archived by Vault. All user accounts with Vault licenses can be archived.
- This setting has no effect on which accounts can change retention, search for data, or perform other Vault functions. Users must have appropriate Vault privileges to work with Vault.
- If you choose ON for everyone, the Vault icon appears in everyone’s list of apps. Some users may be confused by the presence of an app that appears to be nonfunctional. If your domain has organizational units, we recommend you restrict access to users with Vault privileges.
Before you begin: To turn the service on or off for select groups of users, put their accounts in an organizational unit.
- From the Admin console dashboard, go to AppsG SuiteGoogle Vault.
- At the top of the gray box, click More and choose:
- On for everyone to turn on the service for all users (click again to confirm).
- Off to turn off the service for all users (click again to confirm).
- On for some organizations to change the setting only for some users.
- If you chose On for some organizations:
- In the left panel, select Settings for specific org units.
- Select the organization that contains the users whose settings you want to change.
- Click Override or Inherit, whichever appears.
Override makes the setting stay the same, even if the parent setting changes.
Inherit reverts to the same setting as its parent.
- If you clicked Override, select On or Off to change the setting.
- Click Save.
Learn more about the organizational structure.
- Click Apply.
Super administrators automatically have full access to all G Suite services, including Vault. To prevent super administrators from signing in to Vault:
- If your domain uses organizational units, ensure your domain’s Vault access is set to ON for some organizations, then move the super administrator accounts to an organizational unit that does not have permission to sign in to Vault.
- Ensure super administrator accounts have no Vault privileges.
Super admins cannot change the organizational unit for their own account, so this effort requires the cooperation of at least two super administrators. Super administrators retain the ability to add access to Vault to their own organizational unit; however, this action would be reflected in your Vault audit.