This feature is ideal where Admins want to delegate the audit function to local managers or regional security personnel.
GAT+ allows anyone to audit any range of users based on the model of Google Groups, Google Classrooms, and Org Units.
It does not require passing on Google Admin authority. Selected auditors can be an individual user, group, or Org Unit. This allows you to have multiple auditors for a specified scope.
This process is documented in this Youtube video.
To Enable Audit Delegation, follow the instructions below.
Open GAT+ on the side menu enter the section called Delegated Auditors.
Click on + ‘Add new auditor’
For the below example
- Product (GAT+ or Shield)
- Auditor – a user, group or OU
- Audit scope – Audit Users/Groups or Org.Units
- Audit areas – choose which areas to be enabled or disabled for the selected auditor.
Note: Once the Delegated auditor is created, they can only access the scope given, and reports they generate will be based on the scope too.
Select the Valid to time expiration period for the Auditor.
Click on the Active and Save button.
Admin can verify the scope the auditor has by logging into GAT+ as the auditor, the admin will see exactly what an auditor will see.
When the Auditor accesses the tool, they will have access only to the enabled areas.
In the Auditing Areas, they can utilize all of the features of GAT Unlock of course with Security Officer approval.
- They can modify and remove permissions download or view file content.
- They can download emails, view emails, and remove emails from users’ Gmail accounts.
- They can set up email delegation to give one user direct delegation into another user’s Gmail account.
The Configuration tab – Security officer will be available only if the user is enabled as a Security Officer.
There might be some limitations in the audit sections in some areas.
For example in the Email section, the Delegated auditor has access to Email, Email Content Search, User statistics, External From/To, and Sender/Receiver tab.
The Drive audit will display all Drive files from the scope of users.
Overall table will be available only if the auditor has a scope of all users in the domain (domain-wide scope)
All the functionalities such as requesting access to the file and removing permissions are available for the Auditors.
Video: How to create delegated auditors in your G Suite domain
For any questions feel free to contact us at firstname.lastname@example.org