How to set up pre-approval for Super Admins

Note: Pre-approval for GAT Unlock functionality is configured by the nominated security officers. Ask your security officer to launch GAT+ and to enter the Security Officer section.

Once their click on the Preapproved Tab and click on the plus icon “Add new preapproved access”.

Your security officer will then have to select you (super admin) to have pre-approval over users.

If you want the super admin to gain access to the full functionality of GAT Unlock you need to give him scope over the root OU which is /.

Note: If you give super admin access to a specific OU for example /staff and you cover sub-OUs (Yes) then they will only have pre-approved access to ‘Access Permissions Granted’ but will not have pre-approved access to ‘File Management’.

In situations where you are a super admin and a security officer on your domain, if you set up pre-approved for yourself, you will need another security officer to verify and approve this permission. This is because self-approval is not allowed.

Delegate access to your Gmail account

With GAT+ Super Admins and Delegated Auditors can give a user access into another user’s Gmail account for a specified period of time after which the delegation is automatically removed. This may be for business purposes but it is also to facilitate the fast search and viewing of all the account emails via another user’s browser.

 

Note: Please ensure email delegation is allowed for users in your domain.

Go to the Google Apps Admin console and under ‘Apps’, ‘G Suite Apps’, ‘Settings for Gmail’, ‘User Settings’, check if the email delegation box is allowed for your domain.

Now launch GAT+ and enter the User Audit section.

Click on the Email Info tab. Search for the user whose Gmail account will be delegated to someone else, click on the drop-down menu and select ‘Add e-mail delegation’.

When the menu appears, enter the user who will gain access. And enter the number of hours for which this delegation and when it expires it will remove this delegation automatically.

The request will be sent to your security officer for approval, once approved the delegation will be set.

The delegated account appears in the accounts drop-down list in the user’s own Gmail account. This can take several minutes and may require a refresh. The user accessing the delegated account will have to log out and log back in again for the delegated account to appear.

Note: If during the period of the delegation, the user of the account under audit logs into their Google account and goes to their email settings, then under ‘Accounts and import’ the account owner will see that the Admin has granted delegated access to the account.

In addition, if the delegated user reads any unopened email in the audit account, this email will be marked as ‘read’.

How to Allocate G Suite Permissions to Key Individuals/Groups

Note: You need GAT Unlock to apply the following steps
Allocate permissions to only key individuals/groups:

Customize the highlighted section in the ‘file management’ feature.
Allocate permissions to only key individuals/groups

How to Remove All Permissions to all ‘Sensitive’ Folders and Their Sub-folders

Note: You need GAT Unlock in order to apply the following steps

To remove all permissions to all ‘sensitive’ folders and their sub-folders, You will need to:

Click on the drop-down menu next to the folders name and select ‘Apply permission change to this folder (recursively)
apply permission change to this folder
The File Management options will pop up, you can remove any user as an editor/reader or change ownership down the folder tree.
file management feature

Identify Who has Access to Your Sensitive Folders

In this post, we show you how to identify those who have access to ‘sensitive’ folders and their subdomain.
Note: You need GAT Unlock in order to apply these following steps
This can be done by searching for the folder using the custom filter options in GAT+.
You can use the title of the folder or any other search parameter to find it.
select filters in the drive files filters
Then click on the drop-down option next to the folder name. Select Show contents of this folder and its subfolders.
show contents of this folder and other folders
Then click on the export data button to get a detailed Spreadsheet with all the users who can access the files within the folder and its subfolders. The spreadsheet will show who can edit/view files within the folder and its subfolders.
export to google sheets

Audit & Secure Your Google Drive Using GAT Unlock

In this post, we’ll be covering file management using GAT Unlock.

Here is a video tutorial about the topic

First, navigate to Drive Audit in GAT+. Using the panel on the left side of the screen. Next, we’ll click to ‘create a filter’ button.

create a filter button

In this example, we’ll be finding all video files owned by my marketing group being shared out of my domain. We’ll start by selecting to type and choosing ‘User/Group/OU /Search. We’ll fill in the email for my group and make sure to check ‘owned only’ In the definition section, we’ll add two rules. One with a sharing flag set to ‘shared out’ and another that will look for file type which I’ve set to ‘video’ these two rules will work together to look for video files which are being shared out of my domain. Click the ‘Apply’ button to proceed with the search.

Some filter options in GAT Unlock's Drive Audit

Now that I have my results, I can begin managing them by selecting the button on the left labelled ‘toggle selectable’ now you can select whatever files you wish to manage. Selecting the box at the top will select all the files in the search. By clicking the adjacent file operation button you will see a drop-down menu. Here you can select file management. In this example, we are removing external access to the videos and making myself the owner of all the files. We’ll make sure to check both to ‘remove all external editors and external reader’ boxes. Now we can send my request to my security officer.

Send a request to the security officer

Your security officer is another member of your organisation or school that has been given the responsibility of approving or denying an ominous request to change file permissions. Upon sending a request, the security officer will receive an email detailing two changes and will be given the choice to approve or deny your request. If the security officer approves your request the action will be executed and you will be notified if the request is denied you will be notified and there will be no action taken.

How to Use GAT Unlock for File Management

File Management – Changing ownership or file access rights with GAT Unlock

GAT Unlock is tightly integrated with the powerful search and filter options available in GAT+. This means you only have to do things once.

In this example we are going to find all the spreadsheets owned by the group ‘Support’ that are shared externally, then we will remove the external sharing and change the ownership (on all the selected files at once).

TIP: Always narrow the file request with a search first – saves time and makes approval simpler.

Step 1: Click on the ‘Apply custom filter’ button in Drive Audit.

Step 2: Select the following option:

  • First, we can select “Long search”.
  • We search for OU (/Support) – and select the Sub. Org and Owned (only owned files by the Org. Unit)
    • Click the checkbox option ‘Owned only’, this will show all the files owned by ‘Suppor’ group. Otherwise, it would show all of the files associated with ‘Support’ group, were Support shows up as Owner, Editor or Reader.

  • Once the long search completes – Open “Apply custom filter” add extra rules Type equal to Spreadsheets and to add another search parameter click on ‘Add rule’ button and select ‘Sharing Flag’ to ‘Shared Out’. Selecting shared out will only focus on files leaving your domain.  

Apply the filter will find files from Support that is a spreadsheet and are shared out.

Step 3: Next click on the ‘Toggle Selectable’ button, this will allow you to select files individually or all of them at the same time.

Note: You can not perform actions on a ‘Suspended’ account.

Step 4: Click on the button ‘File operation’ and then select the ‘File Management’ option.

Step 5: In this example, we are removing external access to the spreadsheets and making the manager the owner of all the files.

When you click on the ‘Send request’ button, an email is going to be sent to your security officer.

If the security officer approves your actions, they will be executed and you will be notified.

If permission is not granted by the security officer, you will also be notified and no actions will be taken.

Access Permissions Granted – How to silently copy or view files

We are going to use a powerful search feature inside of GAT+ Drive audit to identify the contents of documents we’re going to investigate. The feature is called “Full Content Search” 

Step 1: Click on the ‘Long search’.

Step 2: Select “Full content search”

Then select the expression or an individual word you would like to search for example
“Full content search” –
The “Query” is the term we are searching for, then we select the Org. Unit (“Support” in this example) and if we like we can include all the Sub. Org.

Step 3: Now, that the search is complete, click on the ‘Actions” and select the green icon
Then the results will be displayed.

Step 4: Click on the ‘Apple custom filter’ button to build on top of the current filter.

We are going add another search parameter on top of the current filter. Select the ‘Updated’ parameter, for our example, I’m going to look back a few months. This will show us files which contain the sentence “private and confidential” and which have been updated since Feb 1st, 2018.

Step 5: Select the files you are interested in and select the toggle button.

Step 6: Click on the ‘Files operation’ button and then select ‘Access permissions granted’.

Step 7: Next we will select a date in the future, we will have access to these files until this date. You have an option to write to your security officer explaining why you need access to these files.

Access permissions granted tab

Send the request to the Security Officer(s) for approval.

The following email will be sent to the Security Officer

The Security Officer can click on the link in the email and will be taken to the approval area in GAT+.

The Security Officer can click on the link in the email and will be taken to the approval area in GAT+.

When the Security Officer grants access an email will be sent to the requesting Administrator/delegated auditor informing them. The Administrator from the ‘Access permission granted’ menu can see the full list of their access requests along with the time left for each request to remain valid.

The Administrator from the ‘Access permission granted’ menu can see the full list of their access requests along with the time left for each request to remain valid.

Once the request is selected, the requestor can download documents or view the contents silently without the owner’s awareness.

the requestor can download documents or view the contents silently without the owners awareness.

Remove Access Rights to Documents and Folders with GAT+ & GAT Unlock

With just a few clicks G Suite super admins can remove access rights to any document or folder owned by their domain users at any time, even without Security Officer approval (GAT Unlock functionality). In the Drive result table just click on the drop-down menu option next to a user’s email address or the actual permission for example “everyone” or “everyone with link”. You will be prompted with several options.

When you click on the drop-down menu for “everyone” or “everyone with link” permission you will have 3 options, you can remove the permission just for the doc or folder you selected or you can remove that permission for all files within the applied filter search where ever that permission appears for editors or readers.

The same 3 options are available when the drop-down menu is pressed for external or internal email address. You will be prompted with options to remove the users access rights.

When you click on an local domain user’s email address drop-down menu. You will see additional options, for example you can quickly navigate to their owned docs, files they have access to (Files in user_x@mycorp.com) and actions they’ve taken on files (Events for user_x@mycorp.com)

Note: For internal public files shared to your entire domain you may see the following permission: “mycorp.com (with link)”. The same actions can be taken to remove this permission.

You may also find this post helpful:

How to Remove Public and Published Permissions

How to Restore Permissions Removed By a Policy

How to Update GAT Permissions

‘GAT Unlock’ pricing and approval authority needed

‘GAT Unlock’ pricing and approval authority needed

NB: From September 1st, 2017, GAT Unlock will be priced at $2 or €2 per user per year. Thereafter there is no extra charge. Minimum charge is $250 or €250.

From September 1st, 2016, GAT Unlock will be bundled at no extra cost for educational domains who subscribe to GAT+ at the educational rate of €/$0.50 per user per year.

Non-Super Admin Auditors and Security Officers

As experienced Admins using GAT+ will know you are able to create delegated auditors. See ‘Delegated Audits – Notes to Super Admins’. A delegated auditor is the owner of a Google Group, whom a Super Admin has configured in GAT to have audit rights over all the members of that group. Delegated Auditors are not Super Admins and quite often are just ordinary G suite users like school principals or line managers. The only G Suite ‘power’ they have is that they are the owner of a Google Group.

It is now possible for these ordinary G Suite users to search for and request access to (from a Security Officer) files and emails belonging to the users in the group(s) they audit. The Super Admin can select Delegated Auditors option

Click on the plus icon to add a new delegation. Choose your auditor via the options and give them scope.

 

Note: Delegated auditors will not have access to emails and for now they cannot perform tasks using the GAT unlock features.

They may also act as Security Officers, but again they can not self-approve. Other ordinary G Suite users, like managers in a department, who are not themselves delegated auditors can be Security Officers too.

This feature set becomes enabled when the Security Officer is enabled. Again, as with elsewhere the only people who can enable a Security Officer are General Audit Tool staff. GAT staff will only enable Security Officers once the correct instructions have been given to and the correct permission received by the GAT staff.