With GAT+ Google Workspace Super Admins and GAT+ Delegated Auditors can give users access to another user’s Gmail account indefinitely or temporarily.
By default Admins could delegate for any number of hours and GAT+ would automatically remove the delegation when the time set is up.
What is a Gmail delegate? #
A Gmail user can grant mailbox access to another user in the same Google Workspace organization. More info can be found here
Reasons for delegating access to users Gmail #
- To audit/remediate an incident
- Email delegation is a better way to gain access rather than resetting the user’s password to gain access
- If a user has forgotten to set up their auto-reply when they are on leave or on holidays
- To create or modify a user’s email signature
Note: Please ensure email delegation is allowed for users in your domain.
Google workspace – Enable Mail delegation #
Go to the Google Admin Console
Select ‘Apps’ > ‘Google Workspace ’ > ‘Gmail’ > ‘User Settings’ > Mail Delegation box is ticked off and allowed for your domain.
Set e-mail delegation #
Navigate to GAT+ → Users → Email info
Apply filter and search for the User whose Gmail account will be delegated to someone else.
Click on the “arrow” under Actions and select Add e-mail delegation
A pop-up window will be displayed
Request e-mail delegation
- Delegate – enter the Email of the delegate
- To fully access the mailbox – of the selected user
- Valid time (hours) – enter the hours for how long the email delegation to be active
- Set to 0 (zero) if it has to be valid indefinitely. Otherwise, access will be revoked after a set number of hours.
- Send request – click to send the request for approval
Approval Needed #
All listed security officers will receive an email notification for approval. But only one has to approve.
When the request is Approved. The Email Delegation will be set up.
The delegated account will appear in the chosen account, drop-down list in the user’s own Gmail account.
This can take several minutes and may require refreshing the Gmail page.
Selecting the ‘Delegated’ account will open a new tab in your Chrome browser with the new account.
Note: If the delegated user reads any unopened email in the audited account, this email will be marked as ‘read’.
Note: When an email is sent from the ‘Delegated’ account – Gmail will place a message from what user the email was sent from.
Troubleshooting a delegation error #
A delegate you added can’t access the assigned account
If a delegate can’t access an assigned account and gets an error instead, check if the delegated account is set to “Require user to change password at next sign-in.”