As an administrator, you can grant access to sensitive information and resources using security groups. You can make any group a security group. These groups appear with the Security label in the Groups list.
When to use security groups
Mark a group as a security group to:
- Prevent external or nonsecurity groups from joining—Only a security group in the same organization can join another security group.
- Ensure that member groups only include members allowed by the parent—A group joining a security group must have the same or more restrictive membership permissions.
- Apply security policies to a group—We recommend making any group that you apply policies to a security group. However, to enforce policies using a dynamic group, you must make it a security group. For details, on this page, see Automate security policies using dynamic security groups.
- Disable the option to allow all organization users to automatically join the group—Security group membership is limited to the users, service accounts, and security groups you permit.
Create a security group
You can create a group as a security group.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Directory
Groups.
- Click Create group.
- Enter the group information
check the Security box
click Next.
- Fill out the access settings
click Next.
- Enter the security settings
click Create Group.
- Click Done.
For details on entering group information and settings, see Create a group.
Change a group into a security group
After you add a Security label to a group, it takes on the qualities of a security group. This process adds security features but doesn’t remove any other features of the original group. This action is permanent.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Directory
Groups.
- Click on the group name
Group Information
Labels.
- Check the Security box.
- Click Save.
Automate security policies using dynamic security groups
You can enforce policies using dynamic groups by first adding a security label to them.
For example, you might set policies for everyone at your company who works in a specific geographic location.
- Create a dynamic group of everyone with that location in their user profiles.
As employees move and change their location in their profile, the system automatically adds or removes them from the dynamic group. - Add a security label to the dynamic group.
Doing so allows you to apply policies to dynamic groups. - Create a policy and choose which policies take precedence by following the steps in Customize service settings with configuration groups.