Set up Vault privileges

    Control who can use specific Vault features
    Note:Starting on November 1, 2025, Google Workspace admins must have a Google Vault license to continue using Google Vault.

    If your Google Workspace edition already includes a Google Vault license, your admins can use that license. If your edition doesn't include a Vault license, you can either upgrade to an edition that includes a Vault license, or you can purchase a Vault add-on license. Learn more about Vault licenses .

    To ensure continued access to Google Vault, please update the licenses for all your active Vault admins before November 1, 2025.

    As a Google Workspace administrator, you can allow users in your organization to do all Vault tasks or only a specific subset. For example, you might allow certain users to set retention rules, and allow a different group to search and export data.

    Before you give users Vault privileges, consult with your organization's legal experts or business personnel to determine which users require access to Vault tools. For some Vault privileges, such as managing searches or exports, you can restrict the privilege so that the user can work with only user data in a specific organizational unit.

    Accounts with Vault privileges should be treated as sensitive because they have access and control over other users’ data in your organization.

    To grant privileges to a user, you create an admin role that includes one or more Vault privileges. Then, assign the admin role to the user.

    In this article

    Step 1: Create an admin role with Vault privileges

    You must be signed in as a  super administrator  for this task.

    1. Sign in with a super administrator account to the Google Admin console.

      If you aren’t using a super administrator account, you can’t complete these steps.

    2. Go to Menu  Account > Admin roles .
    3. Click Create a new role.
    4. Enter a name and description for the role. For example, the name could be the privilege that the user will have.
    5. Click Continue.
    6. Locate and expand the Google Vault section.

      Tip: In the search box, enter Google Vault.

    7. Select privileges for the role. For more details, go to the Vault Privileges reference  (later on this page).
    8. Click Continue.
    9. Review the privileges you selected then click Create Role.

    Step 2: Assign Vault roles to users

    You must be signed in as a  super administrator  for this task.

    You can assign Vault roles to one user at a time, or to several users at once.

    With either approach:

    • Users usually get the new role within minutes, but it can take up to 24 hours.
    • If the role includes only Manage Exports, Manage Searches, Manage Holds, and Manage Matters, you can restrict the scope of the role to a specific organizational unit.
    • Vault admins must be assigned a Vault license in order to access Vault.

    For instructions, go to Assign roles .

    Privileges reference

    You can restrict some Vault privileges, such as managing exports, to an organizational unit. Other privileges apply to all organizational units.

    Vault privilege
    What the privilege allows the user to do
    Manage Matters
    • Create matters and share those matters with other users.
    • Close, reopen, and modify matters.
    • Delete and restore matters.

    Important:A user must have at least one more privilege– Manage Holds, Manage Searches, Manage Exports, or Manage Audits– to open and work with matters.

    When the privilege is restricted to an organizational unit, the user can share matters only with accounts in the organizational unit.

    Manage Holds
    • View the list of user accounts on hold.
    • Create holds.
    • Modify holds.
    • Remove holds.

    A user can create, modify, or remove a hold only if they have the Manage Holdsprivilege on all of organizational units included in hold.

    If new accounts are added to the hold, the user must have the Manage Holdsprivilege on the organizational unit that contains the accounts.

    Vault users outside the organizational unit can see holds on users in the organizational unit.

    Manage Searches
    • Search data and count results.
    • View the contents of messages and files that are returned with search queries.
    • Create or delete saved search queries.

    When this privilege is restricted to an organizational unit, the user can search only for data associated with accounts and shared drives in that organizational unit.

    Manage Exports
    • View and download exports.
    • Delete all exports.

    Important:To create exports, a user needs this privilege and the Manage Searchesprivilege.

    When this privilege is restricted to an organizational unit, the user can export only data associated with accounts and shared drives in the organizational unit.

    Google Workspace super administrators don't have access to all exports. They can only work with exports they own and exports in matters shared with them.

    Access All Logs
    • View audit logs for all matters.
    • View all hold reports for your entire organization.
    • View holds in matters that the user has access to.

    This privilege applies to all organizational units.

    Manage Audits
    • View audit logs for matters that were created by or shared with the user.
    • View all hold reports for your entire organization.
    • View holds in matters that the user has access to.

    This privilege applies to all organizational units.

    Manage Retention Policies
    • Create and view retention rules for your entire organization.
    • Update retention rules for your entire organization.
    • Delete retention rules for your entire organization.

    This privilege applies to all organizational units.

    View Retention Policies
    • View all retention rules for your entire organization.

    This privilege applies to all organizational units.

    View All Matters
    • View all matters in your entire organization.

    This privilege applies to all organizational units.

    Privileges examples

    The following table provides a summary of privileges that you can combine as needed. 

    What the user wants to do
    What to select

    Search & export  privileges

    Search data, preview results, and save queries, but not export search results
    Select Manage Searches. To allow a user to search in any matter, not just matters owned by or shared with the user, also select View All Matters.
    View, download, and delete exports, but not create exports
    Select Manage Exports. To allow a user to work with exports in any matter, not just matters owned by or shared with the user, also select View All Matters.
    Create exports, plus all other search and export actions
    Select Manage Searchesand Manage Exports. To allow a user to search and export in any matter, not just matters owned by or shared with the user, also select View All Matters.

    Holds, audits & matters privileges

    Create and remove holds, view lists of holds

    Select Manage Holds. To allow a user to create and remove holds in any matter, not just matters owned by or shared with the user, also select View All Matters.

    View audit logs for all matters, view and hold reports
    Select Access All Logs.
    View audit logs and holds for matters they can access, view all hold reports
    Select Manage Audits.
    Create, share, close, and delete matters
    Select Manage Mattersand at least one of the following: Manage Holds, Manage Searches, Manage Exports, or Manage Audits.

    Retention privileges

    View, create, edit, and delete retention rules
    Select Manage Retention Policies.
    View retention rules, but not create, edit, or delete them
    Select View Retention Policies.

    Troubleshoot Vault privileges

    User doesn’t have any matters listed on the Matters page

    If the user's admin role doesn't include the View All Mattersprivilege, then the user can only see matters they own and matters shared with them. The user won't see any matters if they don't own any and don't have any shared with them.

    How to fix:Share matters with the user. For instructions, go to Share a matter .

    User can’t open any matters

    If the user's admin role has only the View All Mattersprivilege and no other privileges, then the user can only view the list of matters but not open them.

    How to fix:You have 2 options:

    • Assign the user another admin role that includes another Vault privilege.
    • Edit the user's assigned admin role to include another Vault privilege.

    Was this helpful?

    How can we improve it?
    true
    Enable Dark Mode
    Search
    Clear search
    Close search
    Google apps
    Main menu
    12123197600698794874
    true
    Search Help Center
    false
    true
    true
    true
    true
    true
    96539
    false
    false
    false
    false
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: