Administrators with the Reports privilege were automatically assigned the Audit and Investigation View, Activity Rules View, and Activity Rules Manage privileges.
As an administrator, you can set up activity rules in the Google Admin console to send notifications or take action in response to activity within your domain. Use activity rules to help prevent, detect, and remediate security issues more quickly and efficiently.
Activity rules can be created from the security investigation tool , the Audit and investigation page, or from the Rules page. For instructions and more information, go to Create and manage activity rules .
Note: Events in existing Reporting rules are optional, but new Activity rules, or updates to existing rules must include events. By default, up to five alerts are sent per hour.
Privileges needed to create and view activity rules
All Workspace editions
All Workspace editions can create activity rules that automatically send notifications based on events. Administrators can create and view activity rules in the Rulespage.
To use activity rules, administrators need the following permissions. Super administrators have these privileges by default, or you can add them to a custom administrator role.
- Services > Security Center > Activity Rules > View
- Services > Security Center > Activity Rules > Manage
Note: Reporting rules are now activity rules. Administrators who previously had the Reports privilege were automatically assigned the Activity Rules View, and Activity Rules Manage privileges.
Premium Workspace editions
Admins with a premium Google Workspace edition (for example, Enterprise Plus) have access to the security investigation tool which includes additional features, such as activity rules that automatically perform actions based on thresholds.
To use the security investigation tool, you need to be an administrator with security investigation tool privileges. To use activity rules, administrators also need the following permissions. Super administrators have these privileges by default, or you can add them to a custom administrator role.
- Services > Security Center > Activity Rules > View
- Services > Security Center > Activity Rules > Manage
Admins can be assigned full access for creating activity rules for all data sources, or they can be assigned granular access for specific data sources. To set privileges for specific data sources, go to:
- Services > Security Center > This user has full administrative rights for Security Center > Audit and Investigation > View > Data source
For more details about setting admin privileges for creating and viewing activity rules, go to Admin privileges for the investigation tool .
Google Workspace edition support
The following chart shows which Google Workspace editions provide access to activity rules and features:
Notifications
Actions
Thresholds
Frontline Plus, Enterprise Plus, Enterprise Essentials Plus, Education Plus, Chrome Enterprise Premium
Admins have access to activity rules for all log-event data sources for which they have the necessary admin privileges*
Admins have access to activity rules for the following data sources if they have the necessary admin privileges*:
- Chrome log events
- Device log events
- OAuth log events
- Rules log events
- User log events
- Voice log events
* Access to a data source for creating activity rules depends on your Google Workspace edition and your administrative privileges for specific features in the Google Admin console.
Notes
- A delegated admin can create an activity rule for a given data source only if they have the necessary administrative privileges for that data source.
- You can't create activity rules based on live-state data sources such as Chrome browsers , Devices , Gmail messages , and Users . You can only create activity rules based on log-event data sources—for example, Gmail log events or Device log events .
