📖 3 mins read

Overview

This feature is ideal where Admins want to delegate the audit function to local managers or regional security personnel.

GAT+ allows anyone to audit any range of users based on the model of Google Groups, Google Classrooms, and Org Units.

It does not require passing on Google Admin authority. Selected auditors can be an individual user, group, or Org Unit. This allows you to have multiple auditors for a specified scope.

This process is documented in this Youtube video.

To Enable Audit Delegation, follow the instructions below.

Open GAT+ on the side menu enter the section called Delegated Auditors.

Click on  +  ‘Add new auditor’ 

GAT+: Create Delegated Auditors 1

For the below example 

  • Product (GAT+ or Shield)
  • Auditor – a user, group or OU
  • Audit scope  – Audit Users/Groups or Org.Units

GAT+: Create Delegated Auditors 2

  • Audit areas – choose which areas to be enabled or disabled for the selected auditor.

GAT+: Create Delegated Auditors 3

Note: Once the Delegated auditor is created, they can only access the scope given, and reports they generate will be based on the scope too.

Select the Valid to time expiration period for the Auditor.

Click on the Active and Save button.

GAT+: Create Delegated Auditors 4

Admin can verify the scope the auditor has by logging into GAT+ as the auditor, the admin will see exactly what an auditor will see.

GAT+: Create Delegated Auditors 5

You can read more about Google Workspace Audit delegation here. 

When the Auditor accesses the tool, they will have access only to the enabled areas.

In the Auditing Areas, they can utilize all of the features of GAT Unlock of course with Security Officer approval.

  • They can modify and remove permissions download or view file content.
  • They can download emails, view emails, and remove emails from users’ Gmail accounts.
  • They can set up email delegation to give one user direct delegation into another user’s Gmail account.

The Configuration tab – Security officer will be available only if the user is enabled as a Security Officer.

There might be some limitations in the audit sections in some areas.

For example in the Email section, the Delegated auditor has access to Email, Email Content Search, User statistics, External From/To, and Sender/Receiver tab. 

GAT+: Create Delegated Auditors 6

The Drive audit will display all Drive files from the scope of users.

Overall table will be available only if the auditor has a scope of all users in the domain  (domain-wide scope)

GAT+: Create Delegated Auditors 7

All the functionalities such as requesting access to the file and removing permissions are available for the Auditors.

GAT+: Create Delegated Auditors 8

 

Giving Delegated Auditors more Privileges and Control

When a Google Workspace Super Admin creates a Delegated Auditor role so a non-admin can access the GAT+ functionality certain features will not be visible for the auditor. The ability for a delegated auditor to import changes is one example of features that are unavailable unless strictly specified by a Super Admin. 

Importing changes ability can be given to a Delegated Auditor within these sections of GAT+: 

  • User Audit
  • Group Audit
  • Classroom Audit
  • Classroom Student Audit
  • ChromeOS Devices

Note: Pre-conditions for Auditor, the Delegated auditor should have access to the root Org Unit / and to Sub-Org Units for their scope. If they don’t have access to every single user, then this will not work. 

A Super Admin has to navigate to Delegated Auditor section under the Configuration area in GAT+. Find the delegate auditor policy and click on the “Lock” icon. 

GAT+: Create Delegated Auditors 9

 

After, click on all of the areas they can use the Import functionality. 

GAT+: Create Delegated Auditors 10

After the auditor will have these additional privileges. 

GAT+: Create Delegated Auditors 11

 

 

Outcome

The Delegated Auditor sees an additional import icon in the areas described. 

GAT+: Create Delegated Auditors 12

 

 

 

Video: How to create delegated auditors in your Google Workspace domain

GAT+: Create Delegated Auditors 13

For any questions feel free to contact us at support@gatlabs.com

Thanks for sharing and spreading the word!