Unlock is a feature within GAT+ that allows Google Workspace admins to carry out different actions across their domains.
The Unlock functionality is required for:
- Viewing the content of Files and Emails
- Changing the ownership of Google Drive Files
- Copying Google Drive folders and moving them to another user
- Adding or removing users from Drive and Shared Drive files
- Setting up email delegation to user accounts
- Using the GAT Flow functionality to:
-
- Onboard users into the domain
- Offboard users from the domain
- Modify users in the domain
-
The Unlock functionality requires each of the actions above to be approved by the Security Officer. This is designed as a security feature.
Unlock pre-approval can be set up only by the Security Officer.
What is pre-approved access in Unlock? #
Pre-approval in Unlock allows the Action chosen for Flow, Drive, or Email to be done without the need for the Security Officer’s approval for every request.
i.e.: Allowing Unlock to be used without approval by the Security officer.
The setting up of Pre-approval must be set up and approved by Security Officer
How to Set up Unlock Pre-approval for Google Drive? #
How to set up Flow preapproval within GAT+
Navigate to GAT+ > Configuration > Security Officer > Access permissions
In Access Permissions click on the + button <- Click here to create new preapproved access
A new window will be displayed fill in the details required:
- Authorized user – select the user who you want to set pre-approved access to
- Type – Drive
- Scope – User, Group, Org.Unit
- Scope select only users of whom access will be pre-approved for
- Valid until – set the time until pre-approved access will be granted
Click to Save
How to set up Unlock pre-approval for Email? #
How to set up Flow preapproval within GAT+
Navigate to GAT+ > Configuration > Security Officer > Access permissions
In Access Permissions click on the + button <- Click here to create new preapproved access
A new window will be displayed fill in the details required:
- Authorized user – select the user who you want to set pre-approved access to
- Type – Email
- Scope – User, Group, Org.Unit
- Scope select only users of whom access will be pre-approved for
- Valid until – set the time until pre-approved access will be granted
- Can remove emails – enable or disable to allow or not the removal of emails
- Remove emails – permanent
- Remove emails – trash only
- Can add email delegation – enable or disable to allow or not setting up of Email delegation
Click on Save
Approval email #
NOTE: Unlike the normal requests no email will be sent to the Security officer for approval. The Security Officer must log in to GAT+ and approve the requests.
The Security officer must navigate to GAT+ > Configuration > Security Officer > Access permissions – and Approve the request.
Result #
The “Pre-approved” access will be granted to the selected user.
When the pre-approved is enabled, the Admin does not need approval for every request.
When the Admin wants to use Unlock, the action they choose requiring Unlock will start right away, without sending a request to the Security Officer.
Example of pre-approval enabled #
If preapproval is enabled no email will be sent to the Security Officer, the request will be approved, the access to the Files will be granted
The Admin will have access to view and download all the files by default from all the users selected in the Scope