Tech Tip – How to Restrict the Audit tool use to a Select Few.
Auditing for all Org Units. (Only affects domains with GAT in a sub-OU)
In the beginning, Google recommended that to restrict app use to a select few, you should create an OU for those chosen to run the app and then make the app available only to those in that OU.
General Audit Tool followed this procedure and this was our recommended method of restricting GAT access.
With the arrival of OAuth2, applications in sub OU’s only have authority for some audit features over the users in that sub-OU. This is impacting GAT’s ability to report domain wide. To solve this problem we recommend you set the following.
On the GAT homepage select ‘Configure GAT’
Then at the bottom of this configuration tick the box under ‘Restrict GAT users’ and ‘Save’.
GAT will now only be available to Super Admins, security officers and delegated auditors. If you had GAT in a sub-OU, then in Google Admin panel you should move GAT from the sub-OU (‘/auditors’ for example) to the root OU (i.e. ‘/’). See here for more details.
This will enable auditing of all users on the domain for details like Google+ usage, etc.
See here to learn about Delegated Audits to auditors who are not Admin staff