Google Vault - exclude a single user (e.g. CEO) wh...

AndrewDixon · 06-13-2022 06:36 AM

Good Afternoon,

We have recently been forced to "upgrade" from GSuite Basic with the Google Vault addon licensed for a subset of our users, to Google Workspace Business Plus for all of our users.

Whilst the additional storage space etc from the upgrade is a good thing, now that all users have been upgraded and have vault licensing included, seemingly there is no way to exclude specific users from automatically having all their emails viewable via any user who can access Google Vault?

As a Super Admin, I can unfortunately see all emails within our business on Vault, including emails sent and received by our General Manager / CEO, and confidential emails to our HR department.

Similarly I've had to remove vault access from our H.R. department, as they shouldn't be able to view the General Manager's emails!

The only suggestion made so far, has been to change retention settings on Vault - but this will potentially remove emails from the General Manager's Account!!!

I cannot believe that this is acceptable?

chris_barrow4

You should restrict the number of people in the organisation with Super admin access as they will have access to view data in Google Vault. You can then create Admin specific roles for other users who legitimately need to complete e-Discovery tasks. For other Admins turn off the Vault service.

An important part of managing Vault and who did what i is to have a good business process of approval's. Assign specific people Security/Audit team to be responsible for reviewing the Vault Audit logs. So if for example you had done a search on the CEO and this had not been approved by HR or legal, then the person auditing would be responsible for checking.

AndrewDixon

Whilst I appreciate that - I am a Super Admin and need access to Vault to be able to assist certain non-vault users with related enquiries - I do not want to see my General Manager's emails (and indeed no other users who can use Vault within the business should be able to), so just want to exclude this user.

chris_barrow4

@AndrewDixon An option you could use would be to put the users who should not be searched into a specific OU, create yourself an admin roll giving yourself all admin privileges. and limit this to administrate specific OU's. You could then use you account for every day administration, it would have a few restrictions. When you go to a users account, scrol down to Roles and select an admin role to assign, you also get the option to specify which OUs they can administrate.

You then create a super admin account which you would only use when needed.

You can follow the same process for your HR/Legal teams when you assign them a Vault Admin role, restricting it to specific OU's.

Note: Although you can restrict Admins to specific OUs for admin, I have not tested this works for Vault so you would need to test.

nathan_yang

I'm adding a feature request for something similar: More flexibility for limiting scope of Google Vault domain holds

icrew

One thought: I believe you could create an alert in alert center that would alert various people, including higher-ups, if someone did a Vault search (at all, or specifically related to the CEO)....wouldn't block it, but would make it really hard to abuse....

JG1

Andrew, did you ever get a reasonable answer to this? I have exactly the same problem, I must exclude a single user from any Vault retention whatsoever, or I cannot move them off this Basic license, which is causing a whole host of issues in itself. Thanks.

AndrewDixon

@JG1 Sadly not - and arguably has been the only thing that we've ever found disappointing with Google Workspace 😞

Google Vault - exclude a single user (e.g. CEO) where entire workspace is licensed (Business Plus)