Supported editions for this feature: Frontline Standard
and Frontline Plus
; Enterprise Standard and Enterprise Plus
; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
To use the security investigation tool, you need to be an administrator with security investigation tool privileges. Super administrators have these privileges by default, or you can add them to a custom administrator role.
Recent changes to log events privileges
The Audit and Investigation Viewprivilege is now required for Administrators to access log events.
Roles with only the Reportsprivilege can no longer access log events.
What you need to know about this change
- Existing administrator roles with the Reportsprivilege were automatically assigned the Audit and Investigation View, Activity View, and Activity Manageprivileges.
- If you create a new administrator role, you must explicitly assign the Audit and Investigation View, Activity View, and Activity Manageprivileges.
- If an administrator needs the Reportsprivilege, but doesn’t need to access log events, remove the additional privileges.
- Roles with only the Reportsprivilege can no longer access log events.
Administrators with a premium edition
Administrators with a premium edition (for example, Enterprise Plus) can access additional features:
- With the Audit and Investigation Viewprivilege administrators can:
- Create a custom chart based on an investigation (only if Security Dashboard is accessible). Learn more
- Perform actions on log events. Learn more
- With the Activity Rules Viewand Activity Rules Manageprivileges, administrators can create activity rules. Learn more
If an administrator doesn’t need these features, a super administrator can remove the privileges from the role.
Create admin role for security investigation tool
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Choose an option:
- To add the privileges to an existing role, point to the custom administrator role and click View privileges Open privileges.
- To create a new admin role, click Createnew role, add a name and description, and click Continue.
- In the Servicessection, next to Security Center, click the Right arrow to expand the privileges.
- Next to This user has full administrative rights for Security Center, click the Right arrow to expand the privileges.
- (Optional) To give the admin access to all Security Center features, including the security investigation tool, check the This user has full administrative rights for Security Centerbox and go to Step 11.
- Next to Audit and investigation, click the Right arrow to expand the privileges.
- Choose an option:
- To allow the admin to run searches and see returned results, which could contain sensitive content, check the Viewbox.
- To allow the admin to update content, for example, change the access control list of a document or delete an email, check the Managebox.
- To allow admins to view complete messages and attachments, including those that violate DLP rules (if the View sensitive content setting is ON) or are reported as inappropriate, check the View sensitive contentbox.
- Click Saveor Continue.
- If prompted, review the privileges and click Create Role.
