Understanding Vault Access Privileges

So, who can access Google Vault?

Google Workspace is a complete messaging and collaboration platform which includes lots of applications (60+) and Vault is one of them.

Now based on the security concept of “Least Privileges”, your administrators should only have the rights required to perform specific administration tasks they are being assigned.

Though Google provides some out of the box delegated administrator roles (e.g user admin, group admin, helpdesk admin etc) but nothing specific to Google Vault, which makes sense because Vault includes all users data and its permissions should be assigned explicitly and carefully.

Now before I talk about creating dedicated Vault admin roles, let’s understand a concept of “Organization Unit” in Google Workspace.

You don’t treat all your users the same way, for e.g you might want to provide youtube’s access to your marketing team but not to your finance team.

I know this might not be a perfect example, but you get the idea, right…..?

So to create those different policies, Google lets you organize your Google Workspace users into “Organization Units” (like sales, marketing, finance, or maybe geography based ones like Americas, Europe, Asia etc).

Now once you have that OrgUnit structure in place, you can apply different levels of policies on these OUs.

This org unit structure is very helpful as it provides the flexibility of assigning administration permissions on a specific org unit.

For e.g  –: I can create an administration role for resetting users password, and then assign it to a user but only with the scope of “America’s Org Unit”, which means this delegated administrator can now reset password of any user who is inside the “America’s Org Unit”, but not for users that are in other org units.

So to summarize, you can create Google Vault delegated administration role, and then assign that role to a user with the scope of either the whole Google Workspace tenant (which includes all users) OR to a specific Org Unit.

However, there are some roles which are only available for tenant (global) and not for org units, I have created a table below which might help you understand it-:

Google Vault Access Privileges Summary Table

You can find more information about the privileges at this Google support article.