* Navigate to Admin Roles: Go to the Google Admin console and navigate to the 'Admin roles' section.
* Create Admin Roles: Create three separate admin roles:
* Chief Legal Executive: Assign reporting privileges only.
* Legal Audit Manager: Assign full Vault privileges.
* Data Reviewer: Assign searching privileges.
* Assign Roles to Users: Assign the created roles to the respective users (Chief Legal Executive, Legal Audit Manager, Data Reviewer).
* Set Up Google Vault Access: Ensure the Google Vault service is turned on for these users by navigating to 'Apps' > 'Google Workspace' > 'Google Vault' and verifying that the service is enabled for their organizational unit.
References
* Manage admin roles
* Google Vault permissions

* Subscribe to the Google Workspace Release Calendar:
* Go to the Google Workspace Updates blog at https://workspaceupdates.googleblog.com/.
* Click on "Subscribe to updates" to get real-time notifications about new features, updates, and changes in Google Workspace.
* This will ensure you and your team are informed about the latest security and collaboration features as they are announced.
* Join the Google Cloud Connect Community:
* Visit the Google Cloud Connect Community at https://cloudconnectcommunity.google/.
* Join the community to engage with other Google Workspace administrators and users.
* Participate in discussions, ask questions, and stay informed about best practices, upcoming features, and insights directly from Google Workspace experts and peers.
References
* Google Workspace Updates Blog
* Google Cloud Connect Community

* Access Admin Console: Log into your Google Workspace Admin Console.
* Disable Guest Mode and Public Sessions: Navigate to Devices > Chrome > Settings. Disable Guest Mode and Public Sessions to prevent unauthorized users from accessing the device.
* Restrict Sign-In: Go to Device Settings > User & Browser Settings.
* Configure Device Policy: Enable the policy "Restrict Sign-In to List of Users."
* Add Employee Email: Add the specific employee's email address to the list of allowed users. This ensures only the specified employee can sign in to the device.
References
* Google Support: Configure Chrome devices

* Change the password for the suspected compromised account:
* Sign in to the Google Admin console.
* From the Admin console Home page, go to "Users."
* Find and select the account "[email protected]."
* Click on "Security" and then "Password."
* Follow the instructions to change the password.
* Configure a Sender Policy Framework (SPF) record for your domain:
* Log in to your domain host (e.g., GoDaddy, Bluehost).
* Locate the page for updating your domain's DNS records.
* Add a new TXT record for your domain with the SPF rule, typically something like:
v=spf1 include:_spf.google.com ~all
* Save the changes to update the DNS records.
Changing the password helps secure the compromised account, while configuring SPF helps prevent email spoofing, ensuring that fake emails are less likely to be delivered as though they come from your legitimate email address.
References:
* Google Workspace Admin Help - Change or reset a user's password
* Google Workspace Admin Help - Set up SPF records

When developing the application in App Maker, define roles that correspond to the different levels of access needed by users.
Use scripts to control access to data based on user roles. This ensures that only authorized users can perform certain operations.
Set the owner access permissions appropriately to ensure that data can only be accessed or modified by those with the necessary permissions.
Regularly review and update roles and permissions to adapt to any changes in the organization or the application's usage.
Implementing these security measures ensures that data in your internal application is accessed and managed securely, mitigating risks associated with unauthorized access.
Reference:
Google Workspace Admin Help - App Maker Security