根據使用者和裝置情境來控管應用程式存取權

Assign Context-Aware access levels to apps

After you’ve created access levels, you’re ready to assign them to apps. Access levels define the context within which users can access apps. You can define user context such as user identity, device security status, IP address, and geographical location.

Ensure a smooth transition to Context-Aware Access policies

Review and follow the best practices for rolling out Context-Aware Access policies. Do this before limiting access to apps by assigning access levels.

Assign Context-Aware access levels

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenContext-Aware Access.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Assign, then Assign access levels.
    You see a list of apps.
  4. On the left, select an organizational unit where you want to apply access levels for an app. To understand how access levels are inherited across organizational units, see How inheritance works with Context-Aware Access.
  5. Find the app you want and on the right, click Assign.
    You see a list of all access levels. Access levels are a shared resource between G Suite, Cloud Identity, and Google Cloud Platform so you might see access levels you didn’t create in the list.
  6. Select one or more access levels for the app.
    Users are granted access to the app when they meet the conditions specified in just one of the access levels you select. (It’s a logical OR of the access levels in the list.)
  7. If you want users to meet the conditions in more than one access level (a logical AND of access levels), create an access level that contains multiple access levels.
  8. Click Save. If a user meets the conditions in at least one of the selected access levels, the user can access the app. The access level name displays in the assigned access levels list next to the app.

Access levels are a shared resource

Access levels are shared across G Suite, Cloud Identity, and Google Cloud Platform. Admins can create access levels through the G Suite Admin console, Google Cloud Platform (the console and API), and the Google Cloud SDK.

Because access levels are shared across platforms, you might see items like these in the assigned access levels list:

  • Access levels you didn’t create
  • Access levels marked as “deleted” that you didn’t delete

Deleted access levels block access to apps

Access levels marked as deleted are still assigned to apps but access to those apps is blocked. If you see deleted access levels, remove (unassign) them to unblock access.

Remove deleted access levels for all apps

This is the most efficient way to remove deleted access levels and unblock apps.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenContext-Aware Access.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. On the top right, click Unassign Access Levels. When prompted, confirm by clicking Unassign Access Levels again.
    The system removes deleted access levels from all apps. No apps are blocked.

Remove deleted access levels assigned to 1 app

If you want to see which apps are blocked because of deleted access levels, use this procedure. You’ll need to remove deleted access levels one app at a time from each organizational unit.

For example, you might have a deleted access level at the top-level organization and 3 deleted access levels in a child organization. If you remove the deleted access level from the top-level organization, you still need to remove the 3 deleted access levels from the child organization.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenContext-Aware Access.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Assign, then Assign access levels.
    You see a list of apps.
  4. Select an organizational unit. You see a list of apps and the access levels that are assigned to each one. Apps with one or more deleted access levels have a red triangle in the box next to the app name.
  5. Hover over one of the apps with a deleted access level.
  6. On the right side of the app row, click Assign. You see a list of access levels. Access levels that are assigned to the app are checked. Deleted access levels are shown in red text and marked as deleted.
  7. Click Save to remove the deleted access levels from the app. The app is no longer blocked and deleted access levels no longer appear in the assigned access levels list.

How inheritance works in Context-Aware Access

If you make any local access level changes in a child organization, it has only the locally applied access levels and doesn’t inherit any access levels from the parent organization.

For example, if there are 3 access levels assigned to an app in the top-level organization, those same access levels are assigned through inheritance to the app in a child organization.  If you then add an access level only in the child organization, that’s the only access level applied to the child organization.

If you make local access level changes

Local access level changes override any inherited access levels.
  • Add originally inherited access levels to the child organization by reassigning (reselecting) them in the child organization. Now the child organization has both local access level changes and access levels that were originally inherited.
  • Remove all locally assigned access levels to restore the originally inherited access levels. Now the child organization has only the originally inherited access levels.

Override inherited access level assignments with a null policy

Let’s say you don’t want to block any user access in a child organization—no access level assignments. Create an access level called “Any” with 2 IP subnet conditions and join the conditions with OR:
  • IPv4 subnet range 0.0.0.0/0
    or
  • IPv6 subnet range 0::/0
A user in the organization gets access from any IPv4 or IPv6 address.

Related information

這對您有幫助嗎?
我們應如何改進呢?