Control access to G Suite and Google services with groups

You can turn on G Suite and additional Google services for a group of users rather than an entire organizational unit. This lets you control access for specific users without changing your organizational structure.

If you have fewer than 50 users, you may find it’s simpler to use only organizations to turn on/off services.

In this article:

Use access groups to turn on services

In the Google Admin console, administrators can turn off an organizational unit’s access to Google services. When some users in that organization need a service, such as Google Drive, you move the users to another organization that has Google Drive turned on.

With an access group, you create a group of users and turn on the service for the group. Each member can access the service, even if their organization has the service turned off. If you sync your LDAP directory, access groups offer flexibility within your OU structure.

For example, turn on Google Drive and YouTube for a group of users across your marketing and sales teams. Or give a group of users within your IT organization access to AppMaker. Groups can include users from any organization in your account.

Organizational units With an access group
Organizations have the service turned off An access group has the service turned on
Google Drive is turned off
for Organizations 1 and 2
But a group of users within Organizations
1 and 2 can access Google Drive

Use organizations to configure service settings

Access groups control only whether a service is on for a user. You customize service settings, such as POP/IMAP for Gmail or sharing for Drive, at a user’s organizational unit.

For example, if only certain members of an access group need to share Drive files with customers, move those users to an organization that allows external sharing. No changes are required to the group—all members can use Drive, but their policies are determined by their organization’s settings.

One exception is settings for Directory Profile Editing. You can assign Profile editing permissions to groups of users

How access groups work

  • Groups turn on user access to G Suite core services and Google additional services, such as App Maker and YouTube. Groups can’t turn off user access to a service that’s turned on for an organization.
  • Groups cannot be used to turn on access to Marketplace or SAML apps.
  • An access group can contain users from any organizational unit. Access groups can also contain other access group (nested groups).
  • You must create access groups in the Admin console, Google Cloud Directory Sync, or Directory API. Then you can edit the groups in those tools or Google Groups for Business.

Comparison of groups and organizations

  GROUPS ORGANIZATIONS
Function Turn on services
  • Turn on/off services
  • Configure service settings
Service access Turn service ON for users in the group. Always overrides the organization setting. Turn service ON or OFF for users in the organization.
Services supported
  • G Suite core services
  • Additional Google services (such as YouTube, AdWords)
  • G Suite core services
  • Additional Google services
  • Marketplace apps
  • SAML apps
  • Services without an individual On/Off control

Service settings (e.g. options for Drive sharing)

No. Each group member uses the service settings of their organization.

Exception: Directory Profile Editing settings

Yes
User membership Users from different organizations can belong to a group. Users can belong to multiple groups. A user belongs to a single organization.
Inheritance Yes. Groups within a group get access to the service. Yes. Organizations can inherit or override the parent organization setting.
Automatic user licensing No Yes

Set up an access group

Open all   |   Close all

Step 1. Create the list of users and their organizations

Identify the organization for each user in the group. For services included with G Suite Business and G Suite Enterprise, such as Vault, check that users have licenses assigned.

Step 2: Choose settings for the service

You make the service settings to a user’s organization, not the group or group members. For example, if your access group contains users from different organizational units, you can set Drive external sharing on for one organization and off for another organization.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. Select the organizational unit for a user in the access group.
  5. On the right, click the service.
  6. Make your settings to the service. If needed, repeat for the organizations of the other group members.
Step 3: Create the access group
  1. Create the group or use an existing group.
    You must create the group in the Admin console, Directory API, or Google Cloud Directory Sync. Groups created in Groups for Business can’t be used as access groups. (The Admin console doesn’t show whether a group was created in Groups for Business.)
    Tips:
    • Create a new group dedicated to managing access.

    • Use a naming standard for easier searching. For example, add a prefix such as Access_ or AX to the group name. 

  2. Add users (or other access groups) and set group permissions in either the Admin console or Groups for Business. For example, you may want to turn off posting to the group or add a group owner. You can also use the Groups API, which has additional settings such as preventing users from leaving a group.

Step 4: Turn on the service

For this step, you need admin privileges for Groups, Organizational Units (top-level), and Service Settings.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. In the Groups section, find and select your group:

    Click the Groups list on the left

    • Click Search for a group to view the list of access groups.
    • Search by group address (not group name).
      If you don’t find your group, it may have been created in Groups for Business. Only groups created in the Admin console, Directory API, or Google Cloud Directory Sync can set access to services.
  5. On the right, point at the row for the service.

    Find  the Turn On link next to an app

    • To turn on access, click Turn On.

    • To remove access for the group, click Unset. Now, users get the access setting of their organization. However, if the users belong to any other access group with the service turned on, they continue to have access to the service.

    • To set multiple services, check the box for each service and click Unset or On in the upper right.

Changes typically take effect in minutes, but can take up to 24 hours.

Step 5: Check service access

Check a user in the group

Note: If you check the service status of a user’s organization, it’s Off because the service is turned off for their organization. The service statuses (On, Off, On for some) are based only on an organization’s setting, not access groups.

View the access groups for a service

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. In the top left, click All users in this account.

    Fnd the All users in this account link on the upper  left

  5. Find a service with the status of ON for some. That indicates the service is turned on for a suborganization or access group.
  6. Point at ON for some and click View details.

    Find the View Details link next to the app

  7. You’ll see the service status for all groups and organizations.

    The services status shows on or off

Step 6: Get users started with their service

Tell your users about their new service and share tips, quick start guides, and training

View services for users, groups, and organizations

View a user’s services and groups View the services and organizations that have access groups View the status of a service
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. On the left, select the view.

    Fnd the All users in this account link on the upper  left

Here are the actions and statuses for each view:

View Actions for the service Status for the service
All users in the organization

Turn on for everyone

or

Turn off for everyone (this unsets all access groups)

Status is based on groups and organizations.
  • On for some
  • On for everyone
  • Off for everyone
Groups

On or Unset

  • On
Organizations

On or Off

Status is based only on organizations
  • On for some
  • On
  • Off

Edit access groups

Turn on/unset a service for an access group
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. In the Groups section, select or search for your group.

  5. On the right, point at the row for the service:

    • To turn on access, click Turn On.

    • To remove access for the group, click Unset. Now, users get the access setting of their organization. However, if the users belong to any other access group with the service turned on, they continue to have access.

Turn on/off a service for everyone
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. On the left, click All users in this account.

  5. Point at a service and click More More and select Turn OFF for everyone or Turn ON for everyone.

    • Turn OFF for everyone: unsets access groups (no longer shown as On).

    • Turn ON for everyone: no change to access groups settings.

Manage group membership

When you remove members from an access group or delete an access group, the members no longer have access to services through that group.

 

Troubleshooting

I don’t see access groups on the Apps page
  • The group may have been created in Groups for Business. You can only use access groups created in the Admin console, Directory API, or Google Cloud Directory Sync.
  • Search for the group address rather than the group name.
  • You won’t see groups for Marketplace and SAML apps. Access groups only apply to G Suite core services and Google additional services (such as YouTube).
  • Try refreshing the Apps page. Changes typically take effect in minutes, but can take up to 24 hours.
  • Check that you have admin privileges for Groups.
The user is an access group, but can’t sign in to their service
  • Check a user’s services and group membership. The user may need to wait up to 24 hours before the access group settings take effect.
  • Check that the user has a license assigned for the service (for example, a license for G Suite Business to access Google Vault).
I turned on an access group, but the service status is "OFF" for all organizations

The service status shows whether service is on/off for the organizational unit. It doesn’t indicate whether the organization contains users in an access group. To check an access group’s services settings:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. In the Groups section, find and select your group.

    Click the Groups list on the left

Related topics

Was this article helpful?
How can we improve it?