This feature is ideal where Admins want to delegate the audit function to local managers or regional security personnel. GAT+ allows anyone to audit any range of users based on the model of Google Groups, Google Classrooms, and Org Units. It does not require passing on Google Admin authority. Selected auditors can be an individual user, group or Org Unit. This allows you to have multiple auditors for a specified scope.
This process is documented in this Youtube video.
To Enable Audit Delegation, go to the GAT+ on the side menu enter the section called Delegated Auditors.
Click on + ‘Add new auditor’
Now, set up the Delegated auditors and give them an Audit scope.
For the above example:
- Product (GAT+ or Shield)
- Auditor – a user, group or OU
- Audit scope – Audit Users/Groups or Org.Units
- Audit areas – choose which areas to be enabled or disabled for the selected auditor.
Note: Once the Delegated auditor is created, they can only access the scope given, and reports they generate will be based on the scope too.
Admin can verify the scope the auditor has by logging into GAT+ as the auditor, the admin will see exactly what an auditor will see.
When the Auditor accesses the tool, they will have access only to the enabled areas.
In the Auditing Areas, they can utilize all of the features of GAT Unlock of course with Security Officer approval.
- They can modify and remove permissions download or view file content.
- They can download emails, view emails and remove emails from users’ Gmail accounts.
- They can set up email delegation to give one user direct delegation into another user’s Gmail account.
There are some limitations to Delegated auditors.
The delegated auditor will have no access to the Configuration section by default.
They will have a Security officer section if they are set up as a Security officer.
- In the Email section, the Delegated auditor has access to Email, Email Content Search, User statistics, External From/To and Sender/Receiver tab.
- The Drive audit will display all Drive files from the scope of users, but the overall table from your domain will not be available.
All the functionalities such as requesting access to the file and removing permissions are available for the Auditors.