View Categories

GAT+ Delegated Auditor

Why create a delegated auditor in GAT+? #

By default, only Google Workspace Super Admins have access to the GAT+ tool.

With the delegated auditors functionality Super Admins can assign users to audit or analyze others within their domain without ever having access to the Google Workspace Admin Console (admin.google.com). 

How is this useful? Many organizations have multiple offices, departments, campuses, or locations with the delegated auditors feature you can assign the right person to perform the auditing of a group or organizational unit.

Here are a few examples of when delegated auditors could be used: 

  • A sales manager would like to create reports for his/her sales team covering data across all of the different Google apps like Gmail and Google Drive. 
  • A school IT Director would like to give another IT member access to GAT+ but not to his/her Google Workspace Admin Console. 
  • A Super Admin would like to delegate responsibility to his internal auditing team to give them scope over a specific Org unit. 

Creating a Delegated Auditor #

In GAT+ navigate to Configuration > Delegaed auditors > + button (Add new auditor)

View the auditor and fill in the details for the Auditor you want to create.

  • Product – select the product needed 
    • GAT+ – create an Auditor for GAT+
    • Shield  – create an Auditor for Shield
  • Auditor – select the user who will be the Auditor
    • User – select an individual user to be the Auditor
    • Group – select a group of users to be the Auditors
    • Org. Unit – select org. unit of users to be the Auditors
  • Scope – select the users to who the Auditor will audit and have access in GAT or Shield. Users will be under the scope of users the Auditor will manage.
    • User – select the individual user to be the Auditor
    • Group – select a group of users to be the Auditors
    • Org. Unit – select org. unit of users to be the Auditors
      • Include sub. org. units 

  • Access areas – select what areas in GAT+ and Shield the Auditor will have access to. Access areas visible to the Auditors

  • Enable any of the Audit areas
    • Enabled – the area will be visible to the Auditor
    • Disabled – the area will not be visible to the Auditor

Super Admin  #

Super Admin (warning! Can change permissions and more like Google Workspace Administrator)

This is a “custom” Google Super Admin within GAT+ only.

The User with Super Admin Delegated auditor will have the same access Super Admin from Google would have – but only within GAT+ and not within the Google Admin console.

  • Enable changes – Enabled by default – Unchecking will give ‘Read-only’ access to GAT for the Auditor
  • Valid to – select the time until the Auditor will be enabled.
    • Indefinite expiration period
  • Active – enable or disable the Auditor

  • Click on Save to create the Delegated auditor.

Giving GAT+ Auditor Additional Privileges #

When a GAT+ delegated auditor policy is active, you can give the auditor additional privileges. Those privileges allow the Auditor to make changes via Export/Import functionality.

With these additional privileges, the auditor can

  • Export any metadata to a Google spreadsheet
  • Edit any field in the spreadsheet
  • Import the spreadsheet back in to confirm the changes.

Note: A Super Admin has these types of privileges by default.

In Delegated Auditors > click on “lock icon” under Actions to add Additional permissions

Manage additional permissions – in the following areas:

  • Classrooms import
  • Groups import
  • Users import
  • Automatic email forwarding
  • Email delegation
  • Students import
  • ChromeOS device import

For example: 

  • If Email delegation is enabled, the Delegated auditor will be able to use Unlock and request enablement of Email delegation.
  • If Email delegation is not enabled as additional permission, the Delegated auditor will not be able to use Unlock and request the action.

Add the Additional permissions and click on the Save button

Access GAT+ as Delegated auditor #

Your delegated auditor can now launch and access the tool from their Google Apps button.  

In the Google Chrome session click on the Google Apps menu button > scroll down in the menu and click on GAT+

Accessing the tool as a delegated auditor #

When the Auditor logs into GAT+, they will have access only to the selected Admin audit areas

In the Auditing Areas, they can utilize all of GAT Unlock’s features with Security Officer approval.

  • They can modify and remove permission to download or view file content.
  • They can download emails, view emails, and remove emails from users’ Gmail accounts.
  • They can set up email delegation to give one user direct delegation into another user’s Gmail account.
  • They can remove and add permissions from Drive and much more

Security Officer #

If the Auditor is also a Security officer – they will be able to see the Security Officer section in GAT+

Navigate to Configuration > Security officer

This website uses cookies to ensure you get the best experience on our website