Articles in this section

See more

Google Vault: How to allow an subset of users (OU) to access the google vault of a different subset of users (OU)

Steve
  • Updated
Follow

This article serves as a step-by-step walkthrough of allowing a specific group of users to access the Google Vault of another subset of users. Due to the nature of the article, some steps have to be left intentionally vague in order to allow flexibility. All the examples below are based on the following OU structure displayed below.

  • Acme Corp
    • Employees
      • Administration
      • Facilities
    • Terminated Users
      • Administration
      • Facilities

It's assumed all terminated Administration employees are moved to "Terminated Users \ Administration" and so on for the other respective groups. It's also assumed Google Vault has already 

The goal of this guide is to allow only the Administration OU to view the emails of terminated users in the only the Terminated Users \ Administration OU.

 

  1. Login to https://admin.google.com as a Super Administrator and navigate to "Account" > "Admin roles."

  2. To the right of the "Roles" header, click "Create new role."

  3. Name the role something to the effect of "Administration Vault Access" (to match the example in this article) and enter a description that makes sense to you then click "Continue."

  4. Under the header of "Admin console privileges," drill down to "Services" > "Google Vault" and place checks next to the following entries and then click "Continue."
    1. Services > Google Vault > Manage Matters
    2. Services > Google Vault > Manage Holds
    3. Services > Google Vault > Manage Searches
    4. Services > Google Vault > Manage Exports

  5. The following page should look like the included image. If the selections do not match, correct them by clicking the back button. Otherwise, click "Create Role."

    mceclip0.png

  6. Assign a user(s) to the group by clicking "Assign users," searching for the email of the user, clicking the user in the dropdown, and clicking "Assign Role." 
    Note: Multiple users can be added by continuing to search for additional email addresses before clicking "Assign role."

  7. By default, the newly added users will have access to the entire organization. We correct this by clicking the pencil icon on each user's entry and selecting the "Terminated Users \ Administration" OU.

That's all there is to it!

Related articles

Comments

0 comments

Please sign in to leave a comment.