Control access to G Suite and Google services with groups

You can turn on G Suite and additional Google services for a group of users rather than an entire organizational unit. This lets you control access for specific users without changing your organizational structure.

For example, turn on Google Drive and YouTube for a group of users across your marketing and sales teams. Or let a group of users within your IT team use AppMaker. Groups can include any users in your account.

If you have fewer than 50 users, it might be simpler to use only organizational units to turn on/off services.

In this article:

Turn on services with access groups

In the Admin console, you can turn off an organizational unit’s access to Google services. If some users in that organizational unit need a service, such as Google Drive, you must move the users to organizational unit that has Google Drive turned on.

With an access group, you create a group of users and turn on the service for the group. Each member can access the service, even if their organizational unit has the service turned off. 

Organizational units With an access group
Organizations have the service turned off An access group has the service turned on
Google Drive is turned off
for organizational units 1 and 2
But a group of users within organizational units 
1 and 2 can access Google Drive

How access groups work

  • Groups turn on user access to G Suite core services and Google additional services (such as YouTube). Groups can’t turn off user access to a service that’s turned on for an organizational unit.
     
  • An access group can contain any users or groups within your account. You can use your existing groups, for example, sales@example.com or project-team@example.com.
     
  • Access groups control only whether a service is on for a user. You customize most service settings, such as POP/IMAP for Gmail, at a user’s organizational unit. Currently, you can use groups to customize settings only for some apps. Learn more
     
  • You must create access groups in the Admin console, Google Cloud Directory Sync, or Directory API. Then you can edit the groups in those tools or Google Groups for Business.

Comparison of groups and organizational units

  GROUPS organizational units
Function
  • Turn on/off services
  • Configure service settings
Service access Turn service ON for users in the group. Always overrides the organizational unit's setting. Turn service ON or OFF for users in the organizational unit.
Services supported
  • G Suite core services
  • Additional Google services (such as YouTube, AdWords)
  • G Suite core services
  • Additional Google services
  • Marketplace apps, SAML apps and Services without an individual On/Off control
User membership Users from different organizational units can belong to a group. Users can belong to multiple groups. A user belongs to a single organizational unit.
Inheritance Yes. Groups within a group get access to the service. Yes. organizational units can inherit or override the parent organizational unit setting.
Automatic user licensing No Yes

Set up an access group

Open all   |   Close all

Step 1. Create the list of users and their organizational units

Identify the organizational unit for each user in the group. For services included with G Suite Business and G Suite Enterprise, such as Vault, check that users have licenses assigned.

Step 2: Choose settings for the service

You make the service settings to a user’s organizational unit. For example, if your access group contains users from different organizational units, you can set Google Calendar external sharing on for one organizational unit and off for the other

Currently, you can use groups to customize settings only for AppMaker, Directory Profile editing, Drive, Hangouts Meet, Voice, and YouTube. Learn more

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. Select the organizational unit for a user in the access group.
  5. On the right, click the service.
  6. Make your settings to the service. If needed, repeat for the organizational units of the other group members.
Step 3: Create the access group
  1. Create the access group or use an existing group.
    You must create the group in the Admin console, Directory API, or Google Cloud Directory Sync. Groups created in Groups for Business can’t be used as access groups. (The Admin console doesn’t show whether a group was created in Groups for Business.)
     
  2. Add users (or other groups) to your access group. You might set group permissions, for example, to turn off posting to the group or add a group owner. You can also use the Groups API, which has additional settings such as preventing users from leaving a group.

Step 4: Turn on the service

For this step, you need admin privileges for Groups, Organizational Units (top-level), and Service Settings.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. In the Groups section, find and select your group:

    Click the Groups list on the left

    • Click Search for a group to view the list of access groups.
    • Search by group address (not group name).
      If you don’t find your group, it might have been created in Groups for Business. Use groups created in the Admin console, Directory API, or Google Cloud Directory Sync.
  5. On the right, point at the row for the service.

    Find  the Turn On link next to an app

    • To turn on access, click Turn On.

    • To remove access for the group, click Unset. Now, users get the access setting of their organization. However, if the users belong to any other access group with the service turned on, they continue to have access to the service.

    • To set multiple services, check the box for each service and click Unset or On in the upper right.

Changes typically take effect in minutes, but can take up to 24 hours to propagate to all users.

Step 5: Check service access

Check a user in the group

Note: If you check the service status of a user’s organizational unit, it’s Off because the service is turned off for their organizational unit. The service statuses (On, Off, On for some) are based only on an organizational unit's setting, not access groups.

View the access groups for a service

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. In the top left, click All users in this account.

    Fnd the All users in this account link on the upper  left

  5. Find a service with the status of ON for some. That indicates the service is turned on for an organizational unit or access group.
  6. Point at ON for some and click View details.

    Find the View Details link next to the app

  7. You can review the service status for all groups and organizational units.

    The services status shows on or off

Step 6: Get users started with their service

Tell your users about their new service and share tips, quick start guides, and training

View services for users, groups, and organizational units

View a user’s services and groups View the services and organizational units that have access groups View the status of a service
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. On the left, select the view.

    Fnd the All users in this account link on the upper  left

Here are the actions and statuses for each view:

View Actions for the service Status for the service
All users in this account

Turn on for everyone

or

Turn off for everyone (this unsets all access groups)

Status is based on groups and organizational units.
  • On for some
  • On for everyone
  • Off for everyone
Groups

On or Unset

  • On
Organizational Units

On or Off

Status is based only on organizational units.
  • On for some
  • On
  • Off

Edit access groups

Turn on/unset a service for an access group
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. In the Groups section, select or search for your group.

  5. On the right, point at the row for the service:

    • To turn on access, click Turn On.

    • To remove access for the group, click Unset. Now, users get the access setting of their organizational unit. However, if the users belong to any other access group with the service turned on, they continue to have access.

Turn on/off a service for everyone
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. On the left, click All users in this account.

  5. Point at a service and click More More and select Turn OFF for everyone or Turn ON for everyone.

    • Turn OFF for everyone: unsets access groups (no longer shown as On).

    • Turn ON for everyone: no change to access groups settings.

Manage group membership

When you remove members from an access group or delete an access group, the members no longer have access to services through that group.

Troubleshooting

I don’t see access groups on the Apps page
  • The groupmight have been created in Groups for Business. You can only use access groups created in the Admin console, Directory API, or Google Cloud Directory Sync.
  • Search for the group address rather than the group name.
  • You might be on the pages for Marketplace or SAML apps. Access groups only apply to G Suite core services and Google additional services (such as YouTube).
  • Try refreshing the Apps page. Changes typically take effect in minutes, but can take up to 24 hours.
  • Check that you have admin privileges for Groups.
The user is an access group, but can’t sign in to their service
  • Check a user’s services and group membership. The usermight need to wait up to 24 hours before the access group settings take effect.
  • Check that the user has a license assigned for the service (for example, a license for G Suite Business to access Google Vault).
I turned on an access group, but the service status is "OFF" for all organizational units

The service status shows whether service is on/off for the organizational unit. It doesn’t indicate whether the organizational unit contains users in an access group. To check an access group’s services settings:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps.
  3. Click G Suite or Additional Google services.
  4. In the Groups section, find and select your group.

    Click the Groups list on the left

Related topics

Was this helpful?
How can we improve it?