Customize service settings with configuration groups

Supported editions for this feature: Business Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Business; Essentials.  Compare your edition

You can apply service settings to a group of users, rather than an entire organizational unit. This approach lets you customize settings for specific users without changing your organizational structure. Use groups to configure settings for:
 
Services Administrator features

 * Available only with certain editions of Google Workspace

Using configurations groups for service settings

With configuration groups, you can customize service settings for a group of users. For example, you can let a group approve YouTube videos or a team share Google Drive files with people outside of your organization.

Configuration groups can include users from any organizational unit in your account. You can create a group or use an existing group in your account, such as staff@example.com.

Typically, you apply service settings to organizational units and then make exceptions for some users. For example, you can restrict YouTube content for everyone in your account, but let some groups view all videos or approve videos.

Configuration setting example for YouTube

How configuration groups work

  • Configuration groups can contain any users in your organization. Also, you can add your groups (nested groups).
  • A user’s group settings always override their organizational unit's settings.
  • A user can belong to multiple configuration groups, unlike organizational units. You set the priority of configuration groups, and the user gets the setting of the highest priority group they belong to.

Requirements

  • Create your configuration groups in the Google Admin console, Google Cloud Directory Sync, or Directory API. Learn more
  • Dynamic groups require the security label to be used as configuration groups. Learn more
  • Groups created in Google Groups can't be used as configuration groups
  • You can set up and apply configuration groups only in the Admin console, not APIs.

To get started, skip below to Set up configuration groups.

Managing large numbers of users or policies

Information for admins who manage a medium to large organization or anyone interested in configuration groups.

Open all | Close all


Options for configurations groups

Before you create or apply configuration groups, you typically map your user groups to their settings. For example, these user groups have different permissions for sharing Drive files.

  Drive sharing permissions
User group Share with
any domain
Share with
trusted domains
Share
only internally
Sales Managers    
Sales Team    
Sales Operations    

 

Next, you can use configuration groups based on your user groups, user settings, or a combination that fits your organization.

Option 1: Use configuration groups based on user groups

Use your user groups as configuration groups. Then customize settings for each configuration group. If a user belongs to multiple groups, you set which group determines the user's settings (described later in Setting priority).

For example, with Drive settings, you can let specific user groups share files externally.

Image of applying setting to groups

Applying settings directly to user groups is a good option for:

  • Organizations with fewer than 50 users or a small number of settings
    (You don't need to create more groups, and you can fine-tune settings for each user group.)
  • Testing a service setting
  • Apps that a specific group of users use
  • Dynamic groups, which automatically manage group membership by user attributes, such as location or role.

Option 2: Create configuration groups based on user settings

If you manage many settings or users, you might create groups for different levels of settings.

For example, create a configuration group for each level of Drive sharing permissions. Then, add your user groups as members of the configuration group.

Drive settings by configuration group

The configuration group acts as a container for settings. You typically have fewer configuration groups to manage and prioritize (described below). Also, you can use the Groups API or Directory Sync to manage user and group membership.

Setting priority for configuration groups

When a user belongs to multiple configuration groups, you set which configuration group has priority in determining the user’s setting.

In the Admin console, groups are listed from highest to lowest priority. The user gets the settings of the highest priority group they belong to.

You change the priority of a configuration group by moving the group up or down in the Groups list. Setting priority order is available only in the Admin console and not any of the APIs.


Groups panel

 

How priority works

When a user belongs to multiple groups, they get the settings of their highest priority group. In this example, a sales manager belongs to 3 user groups. Each group has a different setting for Directory Profile editing. 

With the configuration groups in this priority order, Sales managers can edit their name and location in their Directory profiles.

Mapping of configuration groups to member

If the Edit location group is the highest priority, sales managers can edit only their location and Regional sales can edit their name and location.

Changing group priority

User settings and multiple groups

Settings aren't added across a user's groups. In this example, a marketing manager belongs to 3 groups, but gets the settings only of the highest priority group. They can edit their name and location, but not their photo.

User belonging to multiple groups

Ordering groups

For Drive settings, changing group priorities or membership can affect file sharing and access.

For example, if you transfer ownership of a file to a user in another configuration group, the file's sharing permissions change to the permissions of the new group.

To track priority and settings:

  • Consider priority in your group structure and watch for deeply nested groups, which might be challenging to trace to settings. 
  • When you order your configuration groups, consider placing the group that applies to the fewest people as the highest priority.


Configuration groups

Planning and designing configuration groups

Planning your configuration group structure is likely the step that takes the most time and review.

Mapping your service settings

You might review your organizational units for settings that you want to manage with groups. If you already use a roles-based or teams approach to settings, you can use groups in the same way.

Policies with roles and teams

If your account has multiple editions of Google Workspace:

  • The configuration group settings apply only to users who have access to the feature or service. 
  • Depending on your edition, some Drive settings apply to your entire organization. You can use configuration groups to customize Drive settings for other users.

Setting naming standards

Choose a group naming standard for easier management and auditing. For example, use a standard that includes the setting name and priority number. The Groups list shows up to 37 characters of a group name. Pointing to a group shows the full name.

YouTube_1_approvers
YouTube_2_access_unrestricted
YouTube_3_access_moderate
YouTube_4_access_strict

If you manage many types of groups, you might add a prefix such as "cf" to indicate a configuration group. Also, use a decimal place to avoid editing your existing group names when you add a configuration group.

cf_Drive_p1.0_SHARE_any
cf_Drive_p2.0_SHARE_trusted
cf_Drive_p2.1_SHARE_trusted_access_external
cf_Drive_p3.0_SHARE_internal

Creating groups

Use groups created in the Admin console, Directory API, or Google Cloud Directory Sync. Groups created in Google Groups can't be used as configuration groups. (The Admin console doesn’t show whether a group is created in Google Groups.)

You can manage the configuration group in any tool. You might set strict permissions for adding or deleting users, posting to the group, or preventing users from leaving the group (available only in the Groups API).

Set up configuration groups

Open all | Close all


Step 1. Apply the configuration group

For this step, you need admin privileges for Groups, Organizational Units (top-level), and Service Settings.​

Before you start: Choose your group. You can use an existing group or create a group. 

Only user groups created in the Admin console, Google Groups for Business, Directory API, or Google Cloud Directory Sync can be used as configuration groups. You can't use groups created in Google Groups.

  1. In the Admin console, go to the settings page for the app.
  2. Click the settings you want to edit.
    For example, here are the YouTube settings for your top-level organization:

    YouTube settings for organization
  3. On the left, click Groups.
    Any existing configuration groups are listed in order of priority.
  4. Click Search for a group. Enter a group address (not group name) and then select the group.
    • Start by adding your configuration groups from highest to lowest priority. When you add a new group, place it at the lowest priority.
    • If you don’t find your group, it might have been created in Google Groups or it's a dynamic groups that's missing the security label. 
  5. Choose the settings for your configuration group.
    By default, a new group has the settings of your top-level organizational unit. 

    YouTube settings for a group
     

    For organizations with multiple types of licenses: If you have licenses for an edition that doesn't include a certain setting, a Flag Flag image for multiple licenses appears next to the settings for a group. This flag appears whether or not the group contains users who don't have the required license.

  6. Turn on or off the configuration group.
    • On—Click Save.
      The settings apply to the configuration group’s members. To close the panel, click Cancel.
    • Off—In the Groups panel, click Unset or Remove "" (clicking Cancel won't remove the group).   
  7. Adjust the priority of the group by dragging the group up or down. Changes typically take effect in minutes, but can take up to 24 hours.
    • To set a group as priority 1—Drag your desired group up to priority 2, then drag the current priority 1 below. You can also enter a number in the priority box or click the arrows next to the priority box.
    • If you have fewer than 4 groups—If you reorder groups containing the same users, those users get the setting of their highest priority group. You might get this alert:

      “More than one policy may be linked to the same users..."

      This general alert appears if you add, unset, or change the priority of any configuration group, even if the groups don’t contain the same users.
Step 2. Check the settings for a user

Before you begin: You need admin privileges for Groups, Organizational Units (top-level), and Service Settings.

  1. In the Admin console, go to the settings page for the app. 
  2. In the top left, click Users.
  3. Click Select a user and search for the user’s address (not name).
  4. Select the user to view their settings. Below the name of the setting, you can click the configuration group or organization unit that determined the user's settings.


Profile information

Note: If you check the user's organizational unit, the service setting won't show as Overridden. The settings, Overridden and Inherited, are based only on an organizational unit's setting, not on configuration groups.

Troubleshooting

I can't find the Groups list

  • The configuration groups feature might not be available for a service. Check the list in the above table.
  • For Drive and Data regions settings, your edition of Google Workspace might not support configuration groups. 

I don’t see my configuration group in the Groups list

  • The group has possibly been created in Google Groups. Try creating a group in the Admin console.
  • The group might be a dynamic group that needs the security label. Learn more 
  • Check that you have admin privileges for Groups.
  • You might be using a group alias instead of the group name. 
  • Try refreshing the setting page. Changes typically take effect in minutes, but can take up to 24 hours.
  • Search for the group's email address rather than the group's name.

A user doesn't have the correct service settings

  • Check a user’s group membership. It can take up to 24 hours before the group settings take effect.
  • Find the configuration group that's determining the user's settings. If the user belongs to multiple configuration groups, you might need to change the group priority or user's group membership.
  • The user might not have the product license for the feature. Some features are available only with certain editions.
Review changes in the Audit log

The event Application Setting Group Priorities Change logs when you apply a configuration group or change order of priority. The event uses the group name rather than the group address. You might want to use a similar naming standard for both your group name and addresses.

For example, you apply the group Link anyone to the Drive Link Sharing setting. 

Application Setting Group Priorities Change
For Drive and Docs, group override priorities for Link Sharing 
changed to Link anyone

When you change the priority of groups, the event lists the groups in their new order, from lowest to highest priority.

Application Setting Group Priorities Change
For Drive and Docs, group override priorities for Link Sharing 
changed to No Links < Link users < Link anyone

Most other events use a similar format for both organizational units and configuration groups. The prefix, group_email, identifies a configuration group.

For example, overriding settings with an organizational unit:

Drive Setting Change
PUBLISHING_TO_WEB for Drive changed from INHERIT_FROM_PARENT to PUBLIC 
(org_unit_name: { Marketing}

Applying settings with a configuration group:

Drive Setting Change
PUBLISHING_TO_WEB for Drive changed from INHERIT_FROM_PARENT to PUBLIC 
(org_unit_name: {example.com}, group_email: {Drive_p02_share_external@example.com})

For events with configuration groups, your top-level organizational unit is listed as the org_unit_name.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false