Access Approvals: Require Google staff to request approval before viewing support data

To use Access Approvals, you need the Google Workspace Assured Controls or Assured Controls Plus add-on. For details, speak to your sales representative.

Access Approvals for Google Workspace requires Google staff to request your organization’s approval before viewing data related to a support action.

Note:

Requirements for using Access Approvals

To use Access Approvals, you need the Google Workspace Assured Controls or Assured Controls Plus add-on. To realize the full benefits of Access Approvals, users assigned to Assured Controls must be members of an organization using Workspace Enterprise Plus with the Assured Controls or Assured Controls Plus add-on. Access Approvals events are surfaced in the Access Transparency logs.

Note: For administrators with Enterprise Plus, individual organizational units can have users at multiple subscription levels. If you use Access Approvals and set a policy for specific organizational units, that policy only applies to users within organizational units that have an Assured Controls license. For more information, go to If you have multiple Google Workspace editions.

Set up Access Approvals

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. Go to Menu "" Dataand thenComplianceand thenAccess Approvals.
  3. To set up Access Approvals for your entire domain, leave the top organizational unit selected. Otherwise, select a child organizational unit or a group.
  4. Check the Require Google staff to request approval before viewing data necessary for support services option.
  5. Click Save if you selected the top organizational unit.
    Click Override if you're setting up Access Approvals for a child organizational unit or a group.

Note:

  • The support response time increases while Google Workspace support waits for your approval. We recommend being cautious when enabling Access Approvals if you might require high service availability and rapid response by Google Workspace support.
  • For some situations (such as, single-customer outage remediation and legal requests), Google personnel might need to bypass your Access Approvals policy to access customer content in a time-sensitive manner. 

Manage Access Approvals requests

To view Access Approvals requests, you can filter the Alert center list of alerts.

Filter Access Approvals requests

  1. In your Google Admin console (at admin.google.com), go to Menu "" Security and then Alert center.
  2. In the list view, click Add a filter.
    1. From the list of filters, select Alert types.
    2. In the list of Alert types, check the Access Approvals request option. 
    3. Click Apply.

For more information, go to Use the alert center.

Access Approvals alert details

In the list of Access Approvals alerts, click a request to view the alert details.

Admins can set a request's Severity and Status, and assign the request to an admin in your organization. Admins can also delete and alert.

  • Severity (High, Medium, Low)
  • Status (Not started, In Progress, Closed)
  • Enter Assignee (email address of an admin for the organization in the request)

You can view the request details in the Key details panel.

  • Scope of the data access (the organization or child organization that contains the data Google staff needs to access)
  • Resource type (Primary data such as Gmail or Drive)
  • Access region (where the data is accessed from)
  • Access duration (5, 15, or 30 days)
  • Access end date (the date and time your data access expires)
  • Status (Pending, Approved, Denied, or Approval Revoked)
  • Request ID (automatically generated)

All actions appear in the Alert history. When you approve, decline, or revoke access, you can enter a justification for the action that will be saved in the history.

Approve or decline an access Approvals request

Admins must have the  Manage Access Approvals requests to approve or decline a request.

The Available action(s) tasks correlate to the request status in Key details.

If the status is Pending, click Respond to:

  • Approve access for 5, 15, or 30 days.
  • Decline this access request.
    Note: Declining a request does not prevent any access that was granted through a previously approved Access Approvals request.
  • Add an explanation for your response. 

If the request status is Expired, no action is available.

Revoke approval

If the request status in Key details is Approved and the access period has not expired, admins can revoke access.

  1. View an approved request and click Revoke this Approval.
  2. In the form, enter an explanation and click Revoke this Approval.

Note: Revoking access to an approved request does not prevent any access that was granted through another previously approved Access Approvals request that covers the same scope.

Review responses to Access Approvals requests

You can use the audit and investigation or the security investigation tool to review past responses to Access Approvals requests.

Note: Your access to the security investigation tool depends on your Google Workspace edition, the data source for your search, and your administrative privileges. For more information, see Data sources for the security investigation tool.

To search in the security investigation tool:

  1. Sign in to the Google Admin console at admin.google.com with your Google Workspace administrator account.
  2. Go to Menu ""  Security and then Security center and then Investigation tool.
  3. Click Data source, and select Admin log events.
  4. Click Add Condition.
  5. Click Attribute, then select Event
  6. After the operator, click Event, enter a text search for Access Approvals, and select Access Approvals admin action.
  7. Click Search.
  8. Review the search results. The Description column displays past responses to Access Approvals requests in your organization—whether or not they were approved or declined. The Actor column displays the admin assigned to this request in the Access Alert Details.

For more details about using the security investigation tool to review past Admin log events, go to Admin log events: Security investigation tool.

To search from the Audit and investigation page:

  1. Sign in to the Google Admin console at admin.google.com with your Google Workspace administrator account.
  2. Go to Menu ""Reporting and then Audit and investigation and then Admin log events.
  3. Click Add a filter, and then select Event.
    1. From the Event list select Access Approvals admin action.
    2. Click Apply.
    3. Click Search.
  4. Review the search results in the table at the bottom of the page.
    The Description column displays the status of the Access Approvals requests in your organization—whether or not they were approved or declined.

For more details about using the audit and investigation page to review past Admin log events, go to Admin log events: Audit and investigation page.

Manage Access Approvals emails

Admins can be alerted to new pending Access Approvals requests via email. You can configure the email notification in the Access Approvals request rule.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
6232240141279716159
true
Search Help Center
true
true
true
true
true
73010
false
false