📖 10 mins read

What is GAT Unlock?

GAT Unlock is the most sophisticated security management mechanism for Google Apps (G Suite) available today. It works on the principle that access to documents, or change of ownership of documents, without the owner’s knowledge or permission can only be accomplished with the active input of at least two people in the organization. One of these will be the requestor who must be an Administrator, the other a Security Officer (or Verification Officer), who must be identified and verified through a senior executive in the organization.

This is an extra service on top of all GAT versions and for non-education domains comes with a limited cost. All license types must apply for this service if they require it. It does not automatically install nor can it be self-configured.

Policy

Due to security reasons, we do not enable GAT Unlock during the trial version of the app.

From the introduction, the service will be visible to domains and each domain Admin can apply to have it enabled. To avail of this service please email unlock@generalaudittool.com with your request. The requesting email must contain the following 4 items.

  • The contact details of the Google Apps Administrator applying.  
  • The name of the Security Officer(s), her/his position(s), email and phone number.
  • The contact details (email and phone number) for the person from whom the GAT team must seek confirmation before enabling this feature (See list below for minimum level of organization officer we expect to have to request approval from. Please send us their full contact details also and inform them they may receive contact from us.) This is required to verify the separate identities of both the Administrators and Security Officers.
  • The PO details for the requested service, see the price list below. (Not required for education domains that have purchased GAT.)

There can be many Security Officers, and the service will be available to all Super Admins once enabled.

 

Number of users in the domain Verification Requirements or job position to approve the enablement of the product
1- 49 Owner, CEO, CFO
50 – 99 CEO, CFO, Head of HR, CIO
100 – 499 CEO, CFO, Head of HR, CIO
500 – 999 CFO, Head of HR, CIO
1,000 – 4,999 Head of HR, CIO, CSO
5,000 – 9,999 Head of HR, CIO, CSO
10,000+ Head of HR, CIO, CSO

 

Administrators and Security Officers should remember the verification process is there to protect you, your domain data and your user’s privacy and rights, while also enabling you to act in the organization’s best interests.

When the ‘GAT Unlock’ service is enabled Administrators can generate access or change requests, but only Security Officers can approve them. An individual can be a member of both lists but cannot approve their own requests. The Security Officer list for all domains is maintained by GeneralAuditTool.com staff. A Security Officer can not generate a change or view request and have it approved by another Security Officer.

Why all this effort? We really respect your data security. We respect your company’s right to be protected. This is the highest security model available within Google for the Work Environment.

How to Use GAT Unlock

File Management – Changing ownership or file access rights

GAT Unlock is tightly integrated with the powerful search and filter options available in GAT+. This means you only have to do things once.

In this example we are going to find all the spreadsheets owned by the group ‘sales’ that are shared externally, then we will remove the external sharing and change the ownership (on all the selected files at once).

TIP: Always narrow the file request with a search first – saves time and makes approval simpler.

Step 1: Click on the ‘Apply custom filter’ button in Drive Audit.

GAT Unlock - First Steps 1

Step 2: Select the following option:

  • For the filter Type select User/Group/OU search, we will enter the ‘Sales’ group in this field ‘Local User/Group’, make sure to enter the full email address.
  • Under the Ownership option select ‘Owned’, this will show all the files owned by the ‘Sales’ group. Otherwise, it would show all of the files associated with the ‘Sales’ group, were Sales shows up as Owner, Editor or Reader.
  • In the filter Definition area, select the parameter Type equal to Spreadsheets and to add another search parameter click on the ‘Add rule’ button and select ‘Sharing FlagcontainsShared Out’. Selecting shared out will only focus on files leaving your domain.  
GAT Unlock - First Steps 2

Step 3: Next select the Files you want to act upon, clicking beside ‘Title’ will select all files from the search, or you can select individual files, by clicking beside the files.

Note: You can not perform actions on a ‘Suspended’ account.

GAT Unlock - First Steps 3

Step 4: Click on the button File operation and then select the File Management option.

GAT Unlock - First Steps 4

Step 5: In this example, we are making the manager the new owner of all the files.

GAT Unlock - First Steps 5
 We can also remove external access to the spreadsheets and add or replace the sharing permissions.

GAT Unlock - First Steps 6

Then click on Send request. 

GAT Unlock - First Steps 7

 

An email is going to be sent to your security officer. Click here to see and approve the request.

GAT Unlock - First Steps 8

If the security officer approves your actions, they will be executed and you will be notified.

If permission is not granted by the security officer, you will also be notified and no actions will be taken.

Access Permissions Granted – How to Silently Copy or View Files

We are going to use a powerful search feature inside of the GAT+ Drive audit to identify the contents of documents we’re going to investigate. This feature is called the ‘File content text search’. It allows admins/delegated auditor to use a word or sentence to search through all of the files across the domain and to return documents which contain them.

Step 1: Click on the ‘Apply custom filter’ button.

GAT Unlock - First Steps 1

Step 2: Enter the word or sentence to return files that contain them. Select the user’s account you want to search through you can leave this field blank to search your entire domain’s Drive or enter a user, Google Group or Org Unit to search through them only.

GAT Unlock - First Steps 10

You can also use multiple rules in the Definition section of the (Query builder) Apply custom filter. I used the Updated search parameter. Once you click on the Apply button the search will begin.

It might take some time depending on how many files you have across your domain.

Step 3: Select the files you are interested in, remember that these files contain the sentence “private and confidential”.

GAT Unlock - First Steps 11

Step 4: Click on the ‘Files operation’ button and then select ‘Access permissions granted’.

GAT Unlock - First Steps 12

Step 5: Next we will select a date in the future, we will have access to these files until this date. You have an option to write to your security officer explaining why you need access to these files.

GAT Unlock - First Steps 13

Send the request to the Security Officer(s) for approval.

The following email will be sent to the Security Officer.

GAT Unlock - First Steps 14

The Security Officer can click on the link in the email and will be taken to the approval area(Grant) in GAT+.

GAT Unlock - First Steps 15

When the Security Officer grants access an email will be sent to the requesting Administrator/delegated auditor informing them. The Admin then opens the ‘Access permission granted‘ menu again and can see the full list of their Access requests along with the time left for each request to remain valid.

GAT Unlock - First Steps 16

Once the request is selected a new window will open with the results, on the right-hand side those files will have a new tab called ‘Actions‘ under that the requestor can Download documents or View the contents silently without the owners’ awareness.

GAT Unlock - First Steps 17

Pre-approved Access for Admins to All Files for a Range of Users

If your Super admins wish not to get Security Officer approval every time they want to make file permission changes or to view file contents, a security officer can give them pre-approval.

In the Security Officer section on the GAT+ sidebar menu, select ‘Preapproved Access’ and then click on the ‘+’ button to add a new Preapproved admin.

GAT Unlock - First Steps 18

Once clicked a new ‘pop-up’ screen will appear.

GAT Unlock - First Steps 19

Here the security officer can add the email address of the Super Admin, the OU over which they will have access, they can select a full OU tree and set approval access until a certain future date. In the above screenshot, I gave Alex (super admin) access to the Support OU

Multiple different grants can be given by the security officer, including several to the same Super Admin, each covering different scopes.

Changing Ownership of an Entire Folder Tree

Another feature of ‘Unlock’ is that it enables an often requested task of moving an entire folder tree, root folder and sub-folders, from one or many owners to a new owner.

GAT Unlock - First Steps 20

This task is completed with the File Management tab. Use the drop-down menu button next to the folder name to see the options. Click on Apply permission change to this folder (recursive). When the File Management option menu appears, enter the new owner’s email address. And make sure to remove the previous owner as editor.

Note: When changing ownership with GAT Unlock the previous owner is added automatically as an editor to the files he owned prior to your changes. You can select Deny access for old owner and they will be cut off access to their files.

GAT Unlock - First Steps 21

This is an ideal feature for consolidating a shared folder structure, or handling leaving staff or students.

Delegating Access to an email account

GAT+ allows Admins to delegate access for a User account to another User for a certain period of hours. This may be for business purposes but it also facilitates the fast search and viewing of all the account emails via another user’s browser.

BEFORE USING: Please ensure email delegation is allowed for users in your domain. Go to the G Suite Admin Console and under Apps > G Suite Apps > Settings for Gmail > User settings check if the email delegation box is allowed for your domain.

in the google admin section, go to "apps" then "g suite" then "settings for gmail" then check the box for locally applied mail delegation

Launch the GAT+ tool, enter the User Audit section and click on the Email Info Tab.

In the Email Info Tab, select any user and click on the Actions button to add an email delegate to their account.

You have the ability to remove existing mail delegation which is already in place as well (4 )

GAT Unlock - First Steps 22

Here the Admin can select the account they wish to gain access to, then select the account they want to give this access to and finally select the number of hours they would like delegated access to be granted for. Once the request is sent, the Security Officer will still have to approve before the delegation is created.

press the "send request" button

Once granted the delegated account appears in the accounts drop-down list when the profile picture is selected in Gmail.

sn image showing the now delegated email account being displayed

The delegation will automatically be revoked after the requested time period.

Note: If during the period of delegation, the account under audit, logs into their Google account and goes to their email settings, then under ‘Accounts’ the account owner will see that the Admin has granted delegated access to the account.

In addition, if the delegated user reads any unopened email in the audited account, this email will be marked as ‘read’.

 

Delete Spam, Inappropriate or Accidental Emails

GAT Unlock - First Steps 23

There are multiple reasons to have the ability to identify and remove emails that have been received by all or any of your domain users. Here are some unwanted scenarios:

  • An email is sent to the wrong user or group
  • An email contains inappropriate content
  • An email that contains sensitive information
  • An email that has gone pass spam filtering or is a phishing email.

GAT+ allows Admins to delete these emails from all accounts at once.

 

GAT Unlock - First Steps 24

 

We recommend using ‘Email Content Search’ for tracking down these emails. It is a ‘real-time’ search that is highly configurable (see ‘search tips’ link beside the search box). In the screenshot above we use the example search parameters

“SEO proposal” in:anywhere newer_than:90d

This tells GAT+ to search in all emails, for all users and look for emails that contain the words “SEO proposal” which are also newer than 90 days. When the results come back to select the emails you wish to view/download/delete then click the “Email operations” button and select “Access permissions granted”.

 

GAT Unlock - First Steps 25

When do search if the result cannot be displayed in a timely manner, the search goes into Background search.
You can access those searches by selecting ‘Previous searches‘.

All older or background searches will be displayed there.
Once completed, under the ‘Actions’ tab select the green checkmark to display the results.

 

GAT Unlock - First Steps 26

 

Once the emails are selected, click on the ‘Access permissions granted’ button and send a request to your SO (security officer). Your SO will have to approve your request. 

 

GAT Unlock - First Steps 27

Before sending the request if you intend to delete the emails rather than just view or download them then check the ‘Request permission to remove’ box.

 

GAT Unlock - First Steps 28

 

As an option, you can send a message to the Security officer giving a reason for the investigation.
After performing those steps please select and click ‘send request’ and wait for approval to be returned from the Security Officer. 
You can check all the requests to the SO in the “Security officer” section in GAT+.


Note: You can not self-approve the request, only the Security officer account can approve.

 

GAT Unlock - First Steps 29

 

Once your request has been approved, you will receive an email notification stating that.

 

GAT Unlock - First Steps 30

 


Remember to refresh the list within the ‘Access permissions granted’ and click on the ‘Activate grant’ to display just your selected emails. 

Note: While you wait for approval from the Security officer, you might use the tool for other searches.
When you come back to “Email Content Search” simply select “Previous searches” select your search and the “Email operations” button will be displayed again.

 

GAT Unlock - First Steps 31

 

You can then delete one or all of the emails using the drop-down option in the Emails Operation button. 

 

GAT Unlock - First Steps 32

 

By default, you can send the emails to the user’s Trash folder on their Gmail but if you wish to permanently delete these emails then select ‘Delete permanently’.

 

GAT Unlock - First Steps 33

 

Pre-approved Access for Super Admins to all Emails

To enable pre-approval for Super Admins navigate to the Configuration section of GAT+ and enter the security officer area.

GAT Unlock - First Steps 34

Once there click on the Preapproved Access Tab and click on the plus icon “Add new pre-approved access”.

GAT Unlock - First Steps 35

Your security officer will have to select you (super admin) to have pre-approval over users across your domain.

GAT Unlock - First Steps 36

This is ideal for situations where Admins do not need to get constant approval to view/download or remove emails.

An example would be in an education domain where the Super Admin would have full open access (view/download or remove emails) for all Student OU’s but would still have to get selective approval from the security officer to access an in the Staff or HR OU.

For a single OU, level adds value like /Staff (Note, this will not grant access to the OU /Staff/IT unless “Sub Org. Units equals Yes!).

In the above screenshot, I put Alex (Super Admin) to have pre-approved access to the entire domain by select / for the Org Unit and I made sure to cover all Sub-Org Units. / means the root User Org. Unit.

They have access to remove and add email delegations as well because I enabled the last two option which is “Can remove?” and “Can add email delegation”.

The Admin should now see something like this when they click on ‘Access permissions granted’ in an Email audit.

 

GAT Unlock - First Steps 37

Every time admins enter the Email audit area they need to apply the Granted pre-approval privilege then carry out the search for the email(s) in question and next to each email there will be an action column visible.

GAT Unlock - First Steps 38

 

Non-Super Admin Auditors

This feature is ideal where Super Admins want to delegate the audit function to local managers or regional security personnel.

GAT+ allows the Admin to select the scope of users that will be covered by the Auditor.

The admin can also select what audit areas to be included.

Auditors will have access to Audit areas and for the scope, they are given only.

GAT Unlock - First Steps 39

 

To learn more visit our knowledge base and read the following article ‘Create Delegated Auditors within GAT+’.