Control access to apps based on user and device context

Assign Context-Aware access levels to apps

After you create access levels, you’re ready to assign them to apps. Access levels define the context within which users can access apps. You can define user context such as user identity, device security status, IP address, and geographical location.

Ensure a smooth transition to Context-Aware Access policies

Review and follow the best practices for rolling out Context-Aware Access policies. Do this before limiting access to apps by assigning access levels.

Assign Context-Aware access levels

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit (to set by department) or a configuration group (to set for users across or within departments).

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenContext-Aware Access.

    To see Security on the Home page, you might have to click More controls at the bottom.

    ""
  3. Click Assign, then Assign access levels. You see a list of apps.
  4. On the left, select an organizational unit or group. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    ""

  5. Find the app you want and on the right, click Assign.

    ""

    To assign the same access levels to multiple apps at once, check the boxes next to the apps and click Assign at the top of the list.

    ""

    You see a list of all access levels. Access levels are a shared resource between Google Workspace, Cloud Identity, and Google Cloud Platform so you might see access levels you didn’t create in the list.

  6. Select one or more access levels for the app.

    Users are granted access to the app when they meet the conditions specified in just one of the access levels you select (it’s a logical OR of the access levels in the list). If you want users to meet the conditions in more than one access level (a logical AND of access levels), create an access level that contains multiple access levels.

    Note for mobile apps: For integrated Gmail (which contains Gmail, Google Chat, and Google Meet), you can grant or deny access to all 3 services at once. To set up integrated Gmail, you turned on Meet and Chat for Gmail. For details on integrated Gmail, go to Set up integrated Gmail for your organization. If Google Chat and Google Meet are implemented as separate apps (not as part of integrated Gmail), you need to grant or deny access to those apps separately.

  7. To apply the access levels to users of desktop, Android, and iOS apps (as well as web apps), check the Apply to Google desktop and mobile apps box. This option applies to Native apps only.

    We recommend that you check this box whenever you assign access levels to apps and always deploy Endpoint verification from a security standpoint.

    The following table summarizes the behavior based on whether you check the Apply to Google desktop and mobile apps box and whether you deploy Endpoint verification. The rows in bold underscored text display the recommended settings.

    Key terms for this table:

    • Access level applied: Access is granted based on the access levels you set up in Context-Aware Access configuration.
    • Access allowed: Context-Aware Access is not applied and all access is allowed.
    • Access blocked: Access is blocked because Context-Aware Access isn't configured, or you don't have Endpoint verification turned on.

    Access Level

    CAA Enabled

    Allow/Block (Native and Web)

       

    Mobile

    Desktop

       

    Mobile Native

    Mobile Web

    Desktop Web

    Desktop Native

    Endpoint verification deployed?

    Access Level with only IP/Geo attributes

    Apply to Google desktop and mobile apps box checked

    Access level applied

    Access level applied

    Not required

    Apply to Google desktop and mobile apps box not checked

    Access allowed

    Access level applied

    Access level applied

    Access allowed

    Not required

    Access Level with Device attributes

    Apply to Google desktop and mobile apps box checked

    Access level applied

    Access level applied

    Yes

    Apply to Google desktop and mobile apps box checked

    Access level applied

    Access blocked

    No

    Apply to Google desktop and mobile apps box not checked

    Access allowed

    Access level applied

    Access level applied

    Access allowed

    Yes

    Apply to Google desktop and mobile apps box not checked Access allowed Access level applied Access blocked Access allowed No
  8. Click Save. If a user meets the conditions in at least one of the selected access levels, the user can access the app. The access level name displays in the assigned access levels list next to the app.

Access levels are a shared resource

Access levels are shared across Google Workspace, Cloud Identity, and Google Cloud Platform. Admins can create access levels through the Admin console, Google Cloud Platform (the console and API), and the Google Cloud SDK.

Because access levels are shared across platforms, you might see items like these in the assigned access levels list:

  • Access levels you didn’t create
  • Access levels marked as “deleted” that you didn’t delete

Delete and unassign access levels

Because access levels are a shared resource, they can be deleted in the Admin console or another platform. If you delete an access level in the Admin console, the access level is marked as deleted and all app assignments that were created in the Admin console for that access level are removed (unassigned).

If an access level is deleted on another platform, the access level is marked as deleted. However, the access level is still assigned to apps and access to those apps is blocked. If you see deleted access levels, remove (unassign) them to unblock access.

To delete access levels, you need specific admin privileges.

Remove deleted access levels for all apps

This is the most efficient way to remove deleted access levels and unblock apps.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenContext-Aware Access.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. On the top right, click Unassign Access Levels. When prompted, confirm by clicking Unassign Access Levels again.
    The system removes deleted access levels from all apps. No apps are blocked.

Remove deleted access levels assigned to 1 app

If you want to see which apps are blocked because of deleted access levels, use this procedure. You’ll need to remove deleted access levels one app at a time from each organizational unit and configuration group.

For example, you might have a deleted access level at the top-level organization and 3 deleted access levels in a child organization, and 2 deleted access levels in a configuration groups. If you remove the deleted access level from the top-level organization, you still need to remove the deleted access levels from the child organization and configurations group.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenContext-Aware Access.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Assign, then Assign access levels.
    You see a list of apps.
  4. Select an organizational unit. You see a list of apps and the access levels that are assigned to each one. Apps with one or more deleted access levels have a red triangle in the box next to the app name.
  5. Point to one of the apps with a deleted access level.
  6. On the right side of the app row, click Assign. You see a list of access levels. Access levels that are assigned to the app are checked. Deleted access levels are shown in red text and marked as deleted.
  7. Click Save to remove the deleted access levels from the app. The app is no longer blocked and deleted access levels no longer appear in the assigned access levels list.
  8. If needed, remove the app from any configuration groups.

How inheritance works in Context-Aware Access

If you make any local access level changes in a child organization, it has only the locally applied access levels and doesn’t inherit any access levels from the parent organization.

For example, if there are 3 access levels assigned to an app in the top-level organization, those same access levels are assigned through inheritance to the app in a child organization. If you then add an access level only in the child organization, that’s the only access level applied to the child organization.

If you make local access level changes

Local access level changes override any inherited access levels.
  • Add originally inherited access levels to the child organization by reassigning (reselecting) them in the child organization. Now the child organization has both local access level changes and access levels that were originally inherited.
  • Remove all locally assigned access levels to restore the originally inherited access levels. Now the child organization has only the originally inherited access levels.

Override inherited access level assignments with a null policy

Let’s say you don’t want to block any user access in a child organization—no access level assignments. Create an access level called “Any” with 2 IP subnet conditions and join the conditions with OR:
  • IPv4 subnet range 0.0.0.0/0
    or
  • IPv6 subnet range 0::/0
A user in the organization gets access from any IPv4 or IPv6 address.

Override access level assignments with configuration groups

You can use configuration groups to assign access levels to groups of users rather than organizational units. A user's group access level always overrides the user's organizational unit access level.The groups can include users from any organizational unit in your account. Learn how to use configuration groups.

Related information

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false