Control who can sign in to Vault

As a Google Vault administrator, you can control who in your organization sees the Vault service in their account. Just turn Vault on or off for those people in your Google Admin console. For example, you should turn Vault on for accounts who have privileges to perform Vault functions. But you might want to turn the service off for everyone else.

Before changing this setting...
  • Turning Vault on or off has no effect on which accounts can be archived by Vault. All user accounts with Vault licenses can be archived.
  • This setting has no effect on which accounts can change retention, search for data, or perform other Vault functions. Users must have appropriate Vault privileges to work with Vault.
  • If you choose ON for everyone, the Vault icon appears in everyone’s list of apps. Some users may be confused by the presence of an app that appears to be nonfunctional. If your domain has organizational units, we recommend you restrict access to users with Vault privileges.
How to change who can sign in to Vault

Before you begin: To turn the service on or off for certain users: Put their accounts in an organizational unit (to control access by department) or put them in an access group (to control access for users across or within departments).

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGoogle Vault.
  3. At the top right of the gray box, click Edit Service Compose.

  4. To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

  5. To turn on or off a service only for users in an organizational unit:

    1. At the left, select the organizational unit.
    2. Select On or Off.
    3. To keep the service turned on or off even when the service is turned on or off for the parent organizational unit, click Override.
    4. If the organization's status is already Overridden, choose an option:
      • Inherit—Reverts to the same setting as its parent.
      • Save—Saves your new setting (even if the parent setting changes).

    Learn more about organizational structure.

  6. To turn on a service for a set of users across or within organizational units, select an access group. For details, go to turn on a service for a group.
Changes typically take effect in minutes, but can take up to 24 hours. For details, see Admin console settings don't update.  
Prevent super administrators from signing in to Vault

Super administrators automatically have full access to all G Suite services, including Vault. To prevent super administrators from signing in to Vault:

  • If your domain uses organizational units, ensure your domain’s Vault access is set to ON for some organizations, then move the super administrator accounts to an organizational unit that does not have permission to sign in to Vault.
  • Ensure super administrator accounts have no Vault privileges.

Super admins cannot change the organizational unit for their own account, so this effort requires the cooperation of at least two super administrators. Super administrators retain the ability to add access to Vault to their own organizational unit; however, this action would be reflected in your Vault audit.

Was this helpful?
How can we improve it?