Google Vault is accessed by signing in at vault.google.com with a Google Workspace account that has the right license and permissions. It’s not a standalone product you can purchase separately. Vault comes included with Google Workspace Business and Enterprise editions at no extra cost, and only users who have been granted specific admin privileges can log in and work with its data retention, search, and export tools.
What You Need Before Signing In
Two things must be in place before you can access Google Vault: your organization needs an eligible Google Workspace plan, and your account needs Vault-specific privileges assigned by an administrator.
Vault is included with Google Workspace Business and Enterprise editions. If your organization uses a plan that doesn’t include Vault, you won’t be able to sign in regardless of your role. Regular end users on any plan can’t access Vault on their own either. There’s no self-service portal where individual employees can browse their own archived emails or files. All access flows through admin-granted privileges.
How to Sign In
Go to vault.google.com in any web browser. You’ll be prompted to sign in with your Google Workspace email address and password, the same credentials you use for Gmail, Google Drive, and other Workspace apps. After entering your email and clicking Next, type your password and click Next again. If your organization uses two-factor authentication, you’ll complete that step as usual.
Once authenticated, you’ll land on the Vault dashboard where you can view matters, run searches, manage holds, and export data, depending on which privileges your account has been granted.
Vault Privileges and What They Allow
Vault uses a permission system separate from the standard Google Workspace admin roles. A super admin or another administrator creates a custom admin role with one or more Vault-specific privileges, then assigns that role to the appropriate users. Here are the key privileges and what each one lets you do:
- Manage Searches: Search organizational data, preview the contents of messages and files in results, count results, and save or delete search queries. This is the core privilege for investigating or reviewing retained data.
- Manage Exports: View, download, and delete exports. On its own, this privilege only lets you work with exports others have created. To actually create a new export, you need both Manage Exports and Manage Searches.
- Manage Matters: Create, share, close, reopen, and delete matters (a “matter” is essentially a case or project folder that organizes your searches, holds, and exports). You must also have at least one other privilege, such as Manage Searches or Manage Holds, to open and work within a matter.
- View All Matters: See every matter across the entire organization, not just matters you created or that were shared with you. Without this privilege, you only see your own matters.
These privileges can also be scoped to specific organizational units. For example, an HR manager could be granted Manage Searches restricted to only the HR department’s accounts and shared drives, preventing them from searching data belonging to other teams.
Common Permission Combinations
If someone only needs to search and preview data without downloading anything, assign just Manage Searches. If they need full search-and-export capability, assign both Manage Searches and Manage Exports. For someone who should only download exports that others have prepared, Manage Exports alone is sufficient.
How an Admin Grants Vault Access
If you’re the Google Workspace administrator setting this up for someone else, here’s the process. Open the Google Admin console at admin.google.com. Navigate to the admin roles section, where you can either create a new custom role or edit an existing one. Check the boxes for whichever Vault privileges the user needs, save the role, then assign it to the user’s account. The user can then sign in at vault.google.com with their regular credentials.
If you’re not an admin and you need access, you’ll need to request it from whoever manages your organization’s Google Workspace account. Let them know specifically what you need to do in Vault (search, export, manage holds) so they can assign the right combination of privileges.
Fixing “Access Denied” Errors
The most common reason for being locked out of Vault, even with the correct login credentials, is a licensing gap. Vault administrators who don’t have a Vault license assigned to their own account may be unable to sign in at vault.google.com, even if they have all the right privileges.
If you’re running into this issue, there’s a workaround. Have your Google Workspace administrator toggle the Vault service off and back on:
- In the Admin console, go to Menu, then Apps, then Google Workspace, then Service status.
- Click Google Vault and note the current setting (whether it’s on for everyone or only certain groups).
- Set the status to OFF for everyone, then save.
- Turn it back on for the same groups and organizational units that had access before.
This reset doesn’t affect any existing holds or retention policies. Data stays preserved as long as users have licenses that support Vault. Changes typically take effect within minutes, though Google notes it can take up to 24 hours.
Other common causes of access problems include signing in with a personal Gmail account instead of your Workspace account, or trying to access Vault on a Workspace plan that doesn’t include it. Double-check that you’re using your organizational email address and that your plan is a Business or Enterprise edition.
What Regular Employees Can and Cannot Do
Standard Google Workspace users without Vault privileges cannot access Vault at all. There is no read-only mode for employees to view their own archived messages or files through the Vault interface. If an employee needs access to data that’s been retained in Vault, an administrator or someone with the appropriate Vault privileges must run the search and either share the matter with them or export the results.
This design is intentional. Vault is built for compliance officers, legal teams, and IT administrators who need to manage data retention, place litigation holds, and conduct eDiscovery across the organization. Keeping access restricted ensures that sensitive archived data isn’t broadly visible to everyone in the company.