Admin privileges for the audit and investigation tool

Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more

Your ability to use the audit and investigation tool depends on your Google edition, your administrative privileges, and the data source. You can run a search in the audit and investigation tool on all users, regardless of their Google Workspace edition.

To use the audit and investigation tool, you need to be an administrator with Audit and investigation privileges. Super administrators have these privileges by default, or you can add them to a custom administrator role. Use the following steps to update an existing role or create a new one.

Create or edit admin role for audit & investigation tool

1. In the Google Admin console, go to Menu Account Admin roles.

   Go to Admin roles

   You must be signed in as a super administrator for this task.

2. Choose an option:
   • To add the privileges to an existing role, locate the specific role in the list, and then click Actions View privileges Open privileges.
   • To create a new admin role, click Create new role, add a name and (optional) description, and click Continue.

3. In the Admin console privileges section, click Services Security Center.

   Note: You can click the right arrows to expand child privileges or the down arrows to hide child privileges. You can also use the Search bar at the top.

4. Do one of the following actions:

   • To give the admin access to all Security Center features, including the security investigation tool, check the This user has full administrative rights for Security Center box.
   • To give the admin access to specific Security Center features, click This user has full administrative rights for Security Center Audit and investigation. Then choose an option:
     • To allow the admin to run searches and see returned results (including results that could contain sensitive content), check the View box.
     • (DLP access only) To allow the admin to view rule-sensitive content, check the View sensitive content box. For details, go to Use Workspace DLP to prevent data loss. This feature is available only in Frontline Plus, Enterprise Standard, Enterprise Plus, or Education Plus.
   • To allow the admin to update content (for example, change the access control list of a document or delete an email), check the Manage box.
   • To allow admins to view complete messages and attachments, including those that violate DLP rules (if the View sensitive content setting has been turned on in Security Investigation tool settings) or are reported as inappropriate, check the View sensitive content box. This privilege can help admins understand any risk that might be associated with the message.

5. Click Save or Continue.

6. If prompted, review the privileges and click Create Role.

7. Assign the role to any users. For the steps, go to Assign roles.

Related topics

• Admin privileges for the security center
• About the audit and investigation tool
• View content that triggers DLP rules
• Use Workspace DLP to prevent data loss
• Create, edit, and delete custom admin roles