Google Vault: Beyond Setup

Vault is a powerful tool that allows users that have access to it the ability to search and view all Gmail messages, Google Group posts, most files in Google Drive and shared drives (excludes Jamboards and Sites as of now), conversations in Chat with history turned on, and all recordings in Meet.  

If you are looking to get information about what Vault does please refer to our past blog, Google Vault: What Does it Do? This blog is designed to go deeper into Vault configurations.

With great power comes great responsibility!

If your Google Workspace domain is set up like most domains we have audited in the past, there are any number of Super Admins with the power of Vault sitting at the tip of their fingers. Is it really necessary for a network administrator, a technician, a superintendent, or a technology coordinator to have access to this power? Do you trust any one of these Super Admins you may have on your Google Workspace domain not to abuse this power? At Amplified IT, we have heard stories from districts of this power being abused and serious consequences thereafter.

What can I do to tighten up access to Vault?  

The first thing you will want to do is to grant access to the Vault system using “access groups.” To do this you will need to turn OFF Vault at the root of your Organizational Structure.

*Turning the Vault service OFF doesn’t affect the retention policies set, it simply removes the users’ ability to access Vault from the waffle menu and directly navigating to it.

Then, create a Google Group and add only the users you want to have access to the Vault system and tighten the access settings of that group.

groupsettings graphic

Finally, turn ON the Google Vault service for this newly created group only. This will ensure only authorized users will be accessing the Vault system.

So far this is great, we tightened up access to the Vault system and gave access to only those that would need to use this service. Unfortunately, we still have an issue of accountability. Who knows if any one of the users you’ve assigned access to the Vault system will abuse this power. Recent changes to Google Workspace have removed Super Admins’ ability to access all of Vault’s privileges unless the Service is turned on for them specifically. They may be suspicious and want to know what other users are saying about them by searching their name? Maybe there is a boss that is using Vault to keep tabs on employees that she/he is targeting?

To help and prevent this abuse of power we can set up a Vault Access Workflow which involves multiple users each with different levels of access to Vault with an approval process. First and foremost, meet with your team and decide on a workflow that works in your institution. Then get it written down as a procedure or a policy to follow going forward. This is an important part of the process and shouldn’t be overlooked.

How to set up a Vault Access Workflow

Typically, there are three main types of personas when dealing with Vault access:

  • Requesters – These are principals, assistant principals, HR managers, SRO, or other administrators looking for information. Reasons could be for legal requests, freedom of information requests, internal investigations, or for data compliance investigations.

  • Vault Admin – This is the person that would execute the investigations and export data to be shared with the requester.

  • Vault Owner – This is the person that approves the investigations and can access audits of the vault searches and sets all the retention policies.

Giving the right access to the right persona with Admin roles

Requesters will need a way to request to a Vault owner what information he/she is looking for. This can be a Google Form, a support ticketing system, or any other means you see fit to work in your institution.

Vault Admins will need access to Manage Matters, Manage Holds, Manage Searches and Manage Exports. When you have multiple campuses, you can have multiple Vault Admins and restrict access to information from Vault to an OU.

Vault-OU-Access-graphic

Vault owners will need access to Manage Retention Policies, Manage Audits and View All Matters. This doesn’t give Vault owners the power to get information from Vault like Vault admins can (unless they are Super Admins), but Vault owners can grab audit reports of the Vault admins to be sure they are not abusing their power.

*In some cases, if your institution employs a Privacy Officer or the HR department wants the burden of Vault, then more access can be given to a Vault owner.

*Keep in mind that Super Admins have access to all privileges, so assigning a SA as a Vault owner will not remove the ability to Manage Matters, Holds, Searches and Exports.

A Vault Access Workflow example

Requesters make their request to Vault Owners >

Vault Owners approve or deny the request, when approved >

Vault Admins process the request in Vault >

Vault Owner verifies the information is what the requester needed >

Vault Admins pull exports the information >

Vault Admins share the information with the Requester

Next Steps:

  • Consider demoting most of your Super Admin accounts, remove access to all of Vault and don’t use remaining Super Admin accounts as your daily drivers.

  • A Digital Data Retention Policy should be established by school boards/administrations and then IT admins should align Vault retention policies, account life cycles and any 3rd party backup solutions you may have to the retention period laid out in the policy. Be sure to have that data expunged as per your institution’s Digital Data Retention Policy’s retention period.

If you would like help making sure your domain settings are set up to EDU best practices, connect with us to request an audit overview call with your states regional account manager and we will go over the full details with you.

  • Fred Aldrich
    Google for Education Technical Consultant

  • About the Author:

    Before coming onboard with Amplified IT, Fred worked in one of the largest districts in the smallest state, Rhode Island. He worked there for 17 years with combined time in the classroom and in the technology department. His mastery in the Google Admin Console earned him the reputation of being the Google Guru in his district. At Amplified IT he puts that knowledge to the test as he supports school districts across North America.