This feature is ideal where Admins want to delegate the audit function to local managers or regional security personnel.
GAT+ allows anyone to audit any range of users based on the model of Google Groups, Google Classrooms, and Org Units.
It does not require passing on Google Admin authority. Selected auditors can be an individual user, group, or Org Unit. This allows you to have multiple auditors for a specified scope.
This process is documented in this Youtube video.
To Enable Audit Delegation, follow the instructions below.
Open GAT+ on the side menu enter the section called Delegated Auditors.
Click on + ‘Add new auditor’
For the below example
- Product (GAT+ or Shield)
- Auditor – a user, group or OU
- Audit scope – Audit Users/Groups or Org.Units
- Audit areas – choose which areas to be enabled or disabled for the selected auditor.
Note: Once the Delegated auditor is created, they can only access the scope given, and reports they generate will be based on the scope too.
Select the Valid to time expiration period for the Auditor.
Click on the Active and Save button.
Admin can verify the scope the auditor has by logging into GAT+ as the auditor, the admin will see exactly what an auditor will see.
When the Auditor accesses the tool, they will have access only to the enabled areas.
In the Auditing Areas, they can utilize all of the features of GAT Unlock of course with Security Officer approval.
- They can modify and remove permissions download or view file content.
- They can download emails, view emails, and remove emails from users’ Gmail accounts.
- They can set up email delegation to give one user direct delegation into another user’s Gmail account.
The Configuration tab – Security officer will be available only if the user is enabled as a Security Officer.
There might be some limitations in the audit sections in some areas.
For example in the Email section, the Delegated auditor has access to Email, Email Content Search, User statistics, External From/To, and Sender/Receiver tab.
The Drive audit will display all Drive files from the scope of users.
Overall table will be available only if the auditor has a scope of all users in the domain (domain-wide scope)
All the functionalities such as requesting access to the file and removing permissions are available for the Auditors.
Giving Delegated Auditors more Privileges and Control
When a Google Workspace Super Admin creates a Delegated Auditor role so a non-admin can access the GAT+ functionality certain features will not be visible for the auditor. The ability for a delegated auditor to import changes is one example of features that are unavailable unless strictly specified by a Super Admin.
Importing changes ability can be given to a Delegated Auditor within these sections of GAT+:
- User Audit
- Group Audit
- Classroom Audit
- Classroom Student Audit
- ChromeOS Devices
Note: Pre-conditions for Auditor, the Delegated auditor should have access to the root Org Unit / and to Sub-Org Units for their scope. If they don’t have access to every single user, then this will not work.
A Super Admin has to navigate to Delegated Auditor section under the Configuration area in GAT+. Find the delegate auditor policy and click on the “Lock” icon.
After, click on all of the areas they can use the Import functionality.
After the auditor will have these additional privileges.
The Delegated Auditor sees an additional import icon in the areas described.
Video: How to create delegated auditors in your Google Workspace domain
For any questions feel free to contact us at firstname.lastname@example.org