Why create a delegated auditor in GAT+? #
By default, only Google Workspace Super Admins have access to the GAT+ tool.
With the delegated auditors functionality Super Admins can assign users to audit or analyze others within their domain without ever having access to the Google Workspace Admin Console (admin.google.com).
How is this useful? Many organizations have multiple offices, departments, campuses, or locations with the delegated auditors feature you can assign the right person to perform the auditing of a group or organizational unit.
Here are a few examples of when delegated auditors could be used:
- A sales manager would like to create reports for his/her sales team covering data across all of the different Google apps like Gmail and Google Drive.
- A school IT Director would like to give another IT member access to GAT+ but not to his/her Google Workspace Admin Console.
- A Super Admin would like to delegate responsibility to his internal auditing team to give them scope over a specific Org unit.
Creating a Delegated Auditor #
In GAT+ navigate to Configuration > Delegaed auditors > + button (Add new auditor)
View the auditor and fill in the details for the Auditor you want to create.
- Product – select the product needed
- GAT+ – create Auditor for GAT+
- Shield – create Auditor for Shield
- Auditor – select the user who will be the Auditor
- User – select individual user to be the Auditor
- Group – select group of users to be the Auditors
- Org. Unit – select org. unit of users to be the Auditors
- Scope – select the users to who the Auditor will audit and have access in GAT or Shield. Users will be under the scope of users the Auditor will manage.
- User – select individual user to be the Auditor
- Group – select group of users to be the Auditors
- Org. Unit – select org. unit of users to be the Auditors
- Include sub. org. units
- Access areas – select what areas in GAT+ and Shield the Auditor will have access to. Access areas visible to the Auditors
- Enable any of the Audit areas
- Enabled – the area will be visible to the Auditor
- Disabled – the area will not be visible to the Auditor
Super Admin #
Super Admin (warning! Can change permissions and more like Google Workspace Administrator)
This is a “custom” Google Super Admin within GAT+ only.
The User with Super Admin Delegated auditor will have the same access Super Admin from Google would have – but Only within GAT+ and not within the Google Admin console.
- Enable changes – Enabled by default – Unchecking will give ‘Read-only’ access to GAT for the Auditor
- Valid to – select the time until the Auditor will be enabled.
- Indefinite expiration period
- Active – enable or disable the Auditor
- Click on Save to create the Delegated auditor.
Giving GAT+ Auditor Additional Privileges #
When a GAT+ delegated auditor policy is active, you can give the auditor additional privileges. Those privileges allow the Auditor to make changes via Export/Import functionality.
With these additional privileges, the auditor can
- Export any metadata to a Google spreadsheet
- Edit any field in the spreadsheet
- Import the spreadsheet back in to confirm the changes.
Note: A Super Admin has these types of privileges by default.
In Delegated Auditors > click on “lock icon” under Actions to add Additional permissions
Add the Additional permissions and click on the Save button
Access GAT+ as Delegated auditor #
Your delegated auditor can now launch and access the tool from their Google Apps button.
In the Google Chrome session click on the Google Apps menu button > scroll down in the menu and click on GAT+
Accessing the tool as a delegated auditor #
When the Auditor logs into GAT+, they will have access only to the selected by Admin audit areas
In the Auditing Areas, they can utilize all of the features of GAT Unlock of course with Security Officer approval.
- They can modify and remove permission to download or view file content.
- They can download emails, view emails, and remove emails from users’ Gmail accounts.
- They can set up email delegation to give one user direct delegation into another user’s Gmail account.
- They can remove and add permissions from Drive and much more
Security Officer #
If the Auditor is also a Security officer – they will be able to see the Security Officer section in GAT+
- Configuration > Security officer