Control access to apps based on user and device context

Customize Context-Aware access with groups

The new Context-Aware groups are rolling out over next few weeks.

If you don't have this feature in your Admin console, it should be available soon.

This feature is available with G Suite Enterprise, G Suite Enterprise for Education, Drive Enterprise, and Cloud Identity Premium editions.

With configuration groups, you can apply context-aware access levels to groups of users rather than organizational units. Configuration groups can include users from any organizational unit in your account. For example, let a team of contractors to access Gmail only on your corporate network.

How configuration groups work

Configuration groups can contain any users in your organization. Also, you can create a configuration group that acts as container for access levels, and then add your user groups (nested groups).
A user can belong to multiple configuration groups, unlike organizational units. You set the priority of configuration groups, and the user gets the setting of the highest priority group they belong to.
A user’s group access level for an app always overrides their organizational unit's access level.
If a configuration group doesn't specify an access level for an app, then the app uses the access level set by the user's organizational unit.

Design configuration groups for context-aware access

Open all | Close all

The priority for context-aware access is a little different than other G Suite settings. Information and tips as you design your policies:

Options for configuration groups

You usually define access levels for organizational units, and then determine custom access levels for configuration groups. For example, you might have configuration groups for "Open access" or "Lockdown access" so you can quickly grant or limit specific users' access.

Typically, you'll use a combination of configuration groups:

Use your existing user groups

You set the access level for each app (Gmail or Drive, for example) in the user group. If a user belongs to multiple groups, you set which group determines the user's settings (described later in the Priority section).

Applying access levels directly to user groups is a good option for:

Testing context-aware access.
Managing access for specific groups of users, such as IT staff or a team on remote assignment.
Organizations with fewer than 50 users or a small number of access levels. You don't need to create more groups and you can finely tune settings for each user group.

Create configuration groups based on access levels

Alternately, a configuration group can act as a container for access levels. You create a configuration group and assign access levels for an app or apps. Then you add user groups as members of the configuration group.

Larger organizations might find this approach useful for managing access group policies and priorities (described below).

How priority works with access levels

When a user belongs to multiple configuration groups, you set which configuration group has priority in determining the user's app access.

In the Admin console, groups are listed from highest to lowest priority. You change the priority of configuration group by moving the group up or down in the Groups list. Setting priority order is available only in the Admin console and not any of the APIs.

Groups panel

Priority for context-aware access

A user gets the app settings of the highest priority group they belong to. If the group has no access level for a particular app, then the access level of user's next highest priority group is used, and so on.
If none of the user's configuration groups define an access level for a particular app, the app uses the access level set by the user's organizational unit.

In the Admin console, you can check which group or organizational unit determined a user's app access level. In the example below, the group "Drive Security" set the user's Drive access.

User's apps	Access levels	Inherited from
Calendar	Company network	Org Unit: Sales
Drive	Company network, Device security	Group: Drive Security
Gmail	Device security	Org Unit: Sales
Google Vault	<none>	Org Unit: Company

For fine-grained controls, you can use groups to customize access levels for each app. For example:

User's apps	Access levels	Inherited from
Calendar	Company network	Org Unit: Sales
Drive	Company network, Device security	Group: Drive Security
Gmail	Device security, Geo Canada	Group: North America
Google Vault	Device restricted, Company network	Group: Vault Investigator

Applying configuration groups

Consider placing critical or sensitive configuration groups at high priority. For example, your top priority group might be an "Urgent Access" group that overrides any groups limiting access.
Access levels aren't added across a user's groups. In this example, a user belongs to 3 user groups, but only the highest priority configuration group" Device" sets their access level.

Planning and designing configuration groups

Planning your configuration groups structure is likely the step that takes the most time and review.

Naming and searching for groups

Set a group naming standard for easier searching, prioritizing, and auditing. For example, add a prefix such as "caa" to indicate context-aware configuration group. Also, use a decimal place to avoid editing your existing group names when you add a configuration group.

Groups names and listing

Search for a group: The Groups panel searches by group address, not group name. You might want to set up a standard that includes the setting name and priority number:

caa_p0.0_unrestricted_access
caa_p1.0_lockdown_access
caa_p3.0_Gmail_IP_Device
caa_p3.1_Gmail_IP

View the groups: The Groups panel displays the group name (maximum of 37 characters) in the priority order. Pointing to a group shows the full name. For example:

CAA p0.0 - Unrestricted access all apps
CAA p1.0 - Lockdown access
CAA p3.0 - Gmail IP corp & device security
CAA p3.1 - Gmail IP corp

Ordering groups

To track of priority and settings:

You might place groups that apply to the fewest users or define critical policies (such as "Lockdown access" or "All access") at the highest priority.
Consider priority in your group structure and watch for deeply nested groups, which might be challenging to trace to settings.

Creating groups

You must use groups created in the Admin console, Directory API, or Google Cloud Directory Sync. Groups created in Google Groups can’t be used as configuration groups. (The Admin console doesn’t show whether a group was created in Google Groups.)

You can manage the configuration group in any tool. You might set strict permissions for adding/deleting users, turn off posting to the group, or prevent users from leaving the group (available only in the Groups API).

Set up configuration groups

Open all | Close all

Before you start: Define the context-aware access levels and create your configuration groups (preferably containing 1 or 2 test accounts).

Step 1. Apply a configuration group

You need admin privileges for Groups, Organizational Units (top-level), and Data Security Access level management and Rule management.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console Home page, go to SecurityContext-Aware Access.
To see Security on the Home page, you might have to click More controls at the bottom.
Click Assign access levels to view the list of apps.
On the left, click Groups. Any existing configuration groups are listed in order of priority.
Click Search for a group. The results include all your groups, not only configuration groups.
Enter a group address (rather than the name of the group) and click the group.
- If you don’t find your group, it may have been created in Google Groups. Configuration groups must be created in the Admin console, Directory API, or Google Cloud Directory Sync.
- Start by adding your configuration groups from highest to lowest priority. When you add new group, it’s placed at the lowest priority.
Click one or more apps, and then Assign.
Select the access levels for apps in the group and click Save. By default, a new group has no assigned access levels.

For organizations with multiple types of G Suite licenses: The group access levels only apply to users assigned a G Suite edition that includes Context-Aware Access control.
Adjust the priority of the group by dragging the group up or down.
- Changes typically take effect in minutes, but can take up to 24 hours.
- To set a group as priority 1: Drag your desired group up to priority 2, then drag the current priority 1 below. You can also enter a number in priority box or click the arrows next to the priority box.

Step 2. Check the access levels for a user

You need admin privileges for Groups, Organizational Units (top-level), and Data Security Access level management and Rule management.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console Home page, go to SecurityContext-Aware Access.
To see Security on the Home page, you might have to click More controls at the bottom.
In the Admin console, go to the settings page for the app.
In the top left, click Users.
Click Select a user and enter the user’s address (not name).
Select the user to view their app settings. The Inherited from column shows the configuration group or organizational unit that determined the user's settings.
Point to an app and click View for details about the user's access levels.

Note: When you view an organization unit, the Inherited levels are based only on an organizational unit's setting, not on configuration groups.

Remove a configuration group

You need admin privileges for Groups, Organizational Units (top-level), and Data Security Access level management and Rule management.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console Home page, go to SecurityContext-Aware Access.
To see Security on the Home page, you might have to click More controls at the bottom.
Click Assign access levels to view the list of apps.
On the left, click Groups. Configuration groups are listed in order of priority.
Click the group to remove.
First, you unassign all access levels from the group. In the Apps panel, check the Name box to select all apps.
Click Assign.
Click Uncheck All
Click Save.

The configuration group no longers appears in the Groups list. Changes to the apps access levels typically take effect in minutes, but can take up to 24 hours.

Edit a configuration group

You need admin privileges for Groups, Organizational Units (top-level), and Data Security Access level management and Rule management.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console Home page, go to SecurityContext-Aware Access.
To see Security on the Home page, you might have to click More controls at the bottom.
Click Assign access levels to view the list of apps.
On the left, click Groups. Configuration groups are listed in order of priority.
Click the group to edit.
On the right, select apps to edit, add, or remove
Click Assign.
Update the level assignments for the group.
Click Save.

Changes to the apps access levels typically take effect in minutes, but can take up to 24 hours.

Troubleshooting

I don’t see the configuration group in the Groups list

The group may have been created in Google Groups. Try creating a group in the Admin console.
Search for the group's email address rather than the group's name.
Try refreshing the setting page. Changes typically take effect in minutes, but can take up to 24 hours.
Check that you have admin privileges for Groups.

A user doesn't have the correct access level

Check a user’s group membership. It may take up to 24 hours before the group settings take effect.
Find the configuration group that's determining the user's settings. If the user belongs to multiple configuration groups, you might need to change the group priority or user's group membership.
The user may not have the product license for the feature. Context-aware access is available with certain editions of G Suite.
If the user can't access an app, the app might be assigned a deleted access level. Check remove a deleted access level.

Review changes in the Audit log

Review these events in the Admin Audit log for changes to configuration group settings:

EVENT: Context Aware Access Level App-specific Assignments Change

Logs when you apply or remove a configuration group. The event uses the group name, so you might use a similar naming standard for both your group name and address.

The data included in a group event:

Access Level assignments have been changed from []
to [access levels]. (application_name: {app}, group_name: {configuration group})

For example, you apply the configuration group CAA.02 local access to an app:

Access Level assignments have been changed from [] to [Company IP, Device].
(application_name: {GMAIL}, group_name: {CAA.02 local access}

When you remove the configuration group from an app:

Access Level assignments have been changed from [Company IP, Device] to [].
(application_name: {GMAIL}, group_name: {CAA.02 Local Access}

EVENT: Application Setting Group Priorities Change

When you change the priority of groups, the event lists the groups in their new order, from lowest to highest priority. You can identify context-aware access changes by the line: "For Data Security, group override priorities for ContextAwareAccessAppSettingsProto".

For Data Security, group override priorities for ContextAwareAccessAppSettingsProto
changed to Sales North America < Sales Mexico < Sales Leads Remote

Was this helpful?

How can we improve it?