Multi-party approval for sensitive actions

Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

Multi-party approval protects against malicious actions in the Admin console by requiring that any sensitive settings changes—such as turning 2-Step Verification enforcement on or off—must be approved by another super admin. Once a super admin receives and approves the settings change request, the change is carried out automatically, without any further action needed from the requesting admin.

Multi-party approval is turned on by default for domains with 2 or more super admins. See instructions below on how to turn it on or off.

Once on, Multi-party approval applies to the following settings:

Multi-party approval in Reseller domains

If Multi-party approval is turned on in a resold customer’s domain, and a reseller admin tries to update a sensitive setting, the request for approval is sent to the resold admins only, and only the resold admins can approve or decline the request.

How Multi-party approval works

In this example, Multi-party approval protects the sensitive action of changing 2-Step verification settings.

  1. A Workspace admin navigates to Securityand thenAuthenticationand then2-Step verification settings, and attempts to turn enforcement from ON to OFF.
  2. A pop-up dialog notifies the admin that this action requires review from a Super admin. The requesting admin can optionally enter an explanatory message before sending the request for review.

    Note: If there's already a pending request to change a setting that's waiting for approval, any new request is temporarily blocked until the pending request is resolved. The admin whose request is blocked can view the conflicting request.

  3. The requesting admin gets an email confirmation message that their request has for approval has been submitted.
  4. The approver Super admin receives the email request for approval. and opens a link to the Multi-party approval details page in the Admin console. The details page shows:
    • Who's requesting the change
    • The current setting (before change) and the proposed setting (after change)
    • Options to approve or decline the request
  5. The approver reviews the request details, then either approves or rejects the request.
    • If the request is approved, the change in 2-Step verification settings is carried out automatically, without further action needed from the requesting admin.
    • If the approver takes no action, the request expires in 3 days.
  6. Requester gets an email when the request is approved or rejected, or if the request has expired with no action.

View request details, approve a request, cancel a request

Either the requester or the approver can view pending or past requests on the Multi-party approval list page. Clicking a request in the list displays a details page for that request. On the request details page, requesters can cancel a request, and approvers can approve or reject the request.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Securityand thenAuthenticationand thenMulti-party approval

    You can view all requests, or only your own requests. Request details include the request status, requester’s name, when the request was created, and the setting change being requested.

  3. To view details on a specific request, click in the Action column at left.
    • The requester details page includes an option to cancel the request.
    • The approver details page includes the options to approve or reject the request.
  4. Click Multi-party approval at left to return to the approval list page.

Turn Multi-party approval on or off

Use the multi-party approval setting in Admin console to turn the feature on or off for your domain.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Securityand thenAuthenticationand thenMulti-party approval settings
  3. To turn multi-party approval on, check the Require multi-party approval for sensitive admin actions box. To turn off, uncheck the box.
  4. Click Save.

Note: If multi-party approval is turned off from an on state:

  • Pending requests are active for the normal period of time, until they are approved, requested, or expire.
  • New settings changes that involve sensitive actions will not create multi-party approval requests.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
12643158010728998967
true
Search Help Center
true
true
true
true
true
73010
false
false