With configuration groups, you can apply context-aware access levels to groups of users rather than organizational units. Configuration groups can include users from any organizational unit in your account. For example, let a team of contractors to access Gmail only on your corporate network.
How configuration groups work
-
Configuration groups can contain any users in your organization. Also, you can create a configuration group that acts as container for access levels, and then add your user groups (nested groups).
-
A user can belong to multiple configuration groups, unlike organizational units. You set the priority of configuration groups, and the user gets the setting of the highest priority group they belong to.
-
A user’s group access level for an app always overrides their organizational unit's access level.
-
If a configuration group doesn't specify an access level for an app, then the app uses the access level set by the user's organizational unit.
Design configuration groups for context-aware access
Configuration groups work a little differently for content-aware access compared to other Google Workspace settings. Information and tips as you design your groups and policies:
You usually define access levels for organizational units, and then determine custom access levels for configuration groups. For example, you might have configuration groups for "Open access" or "Lockdown access" so you can quickly grant or limit specific users' access.
Typically, you'll use a combination of configuration groups:
Use your existing user groups
You set the access level for each app (Gmail or Drive, for example) in the user group. If a user belongs to multiple groups, you set which group determines the user's settings (described later in the Priority section).
Applying access levels directly to user groups is a good option for:
- Testing context-aware access.
- Managing access for specific groups of users, such as IT staff or a team on remote assignment.
- Organizations with fewer than 50 users or a small number of access levels. You don't need to create more groups and you can finely tune settings for each user group.
Create configuration groups based on access levels
Alternately, a configuration group can act as a container for access levels. You create a configuration group and assign access levels for an app or apps. Then you add user groups as members of the configuration group.
Larger organizations might find this approach useful for managing access group policies and priorities (described below).
When a user belongs to multiple configuration groups, you set which configuration group has priority in determining the user's app access.
In the Admin console, groups are listed from highest to lowest priority. You change the priority of configuration group by moving the group up or down in the Groups list. Setting priority order is available only in the Admin console and not any of the APIs.
Priority for context-aware access
- A user gets the app settings of the highest priority group they belong to. If the group has no access level for a particular app, then the access level of user's next highest priority group is used, and so on.
-
If none of the user's configuration groups define an access level for a particular app, the app uses the access level set by the user's organizational unit.
In the Admin console, you can check which group or organizational unit determined a user's app access level. In the example below, the group "Drive Security" set the user's Drive access.
| User's apps | Access levels | Inherited from |
|---|---|---|
| Company network | Org Unit: Sales | |
| Company network, Device security | Group: Drive Security | |
| Device security | Org Unit: Sales | |
 Google Vault |
<none> | Org Unit: Company |
For fine-grained control, you can use groups to customize access levels for each app. For example:
| User's apps | Access levels | Inherited from |
|---|---|---|
| Company network | Org Unit: Sales | |
| Company network, Device security | Group: Drive Security | |
| Device security, Geo Canada | Group: North America | |
| Google Vault |
Device restricted, Company network | Group: Vault Investigator |
Applying configuration groups
- Consider placing critical or sensitive configuration groups at high priority. For example, your top priority group might be an "Urgent Access" group that overrides any groups limiting access.
-
Access levels aren't added across a user's groups. In this example, a user belongs to 3 user groups, but only their highest priority configuration group, "Device" sets their access level.
Planning your configuration groups structure is likely the step that takes the most time and review.
Naming and searching for groups
Set a group naming standard for easier searching, prioritizing, and auditing. For example, add a prefix such as "caa" to indicate context-aware configuration group. Also, use a decimal place to avoid editing your existing group names when you add a configuration group.
- Search for a group: The Groups panel searches by group address, not group name. You might want to set up a naming standard that includes the setting name and priority number, for example:
caa_p0.0_unrestricted_access@example.com
caa_p1.0_lockdown_access@example.com
caa_p3.0_Gmail_IP_Device@example.com
caa_p3.1_Gmail_IP@example.com
- View the groups: The Groups panel displays the group name (maximum of 37 characters) in the priority order. Pointing to a group shows the full name. For example:
CAA p0.0 - Unrestricted access all apps
CAA p1.0 - Lockdown access
CAA p3.0 - Gmail IP corp & device security
CAA p3.1 - Gmail IP corp
Ordering groups
To track of priority and settings:
- You might place groups that apply to the fewest users or define critical policies (such as "Lockdown access" or "All access") at the highest priority.
- Consider priority in your group structure and watch for deeply nested groups, which might be challenging to trace to settings.
Creating groups
You must use groups created in the Admin console, Directory API, or Google Cloud Directory Sync. Groups created in Google Groups can’t be used as configuration groups. (The Admin console doesn’t show whether a group was created in Google Groups.)
You can manage the configuration group in any tool. You might set strict permissions for adding/deleting users, turn off posting to the group, or prevent users from leaving the group (available only in the Groups API).
Set up configuration groups
Before you start: Define the context-aware access levels and create your configuration groups (preferably containing 1 or 2 test accounts).
You need admin privileges for Groups, Organizational Units (top-level), and Data Security Access level management and Rule management.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Security
Context-Aware Access.
To see Security on the Home page, you might have to click More controls at the bottom.
- Click Assign access levels to view the list of apps.
- On the left, click Groups. Any existing configuration groups are listed in order of priority.
- Click Search for a group. The results include all your groups, not only configuration groups.
- Enter a group address (rather than the name of the group) and click the group.
- If you don’t find your group, it may have been created in Google Groups. Configuration groups must be created in the Admin console, Directory API, or Google Cloud Directory Sync.
- Start by adding your configuration groups from highest to lowest priority. When you add new group, it’s placed at the lowest priority.
- If you don’t find your group, it may have been created in Google Groups. Configuration groups must be created in the Admin console, Directory API, or Google Cloud Directory Sync.
- Click one or more apps, and then Assign.
- Select the access levels for apps in the group and click Save. By default, a new group has no assigned access levels.
For organizations with multiple types of Google Workspace licenses: The group access levels only apply to users assigned a Google Workspace edition that includes Context-Aware Access control.
- Adjust the priority of the group by dragging the group up or down.
- Changes typically take effect in minutes, but can take up to 24 hours.
- To set a group as priority 1: Drag your desired group up to priority 2, then drag the current priority 1 below. You can also enter a number in priority box or click the arrows next to the priority box.
- Changes typically take effect in minutes, but can take up to 24 hours.
You need admin privileges for Groups, Organizational Units (top-level), and Data Security Access level management and Rule management.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Security
To see Security on the Home page, you might have to click More controls at the bottom.
- In the Admin console, go to the settings page for the app.
- In the top left, click Users.
- Click Select a user and enter the user’s address (not name).
- Select the user to view their app settings. The Inherited from column shows the configuration group or organizational unit that determined the user's settings.
- Point to an app and click View for details about the user's access levels.
Note: When you view an organization unit, the Inherited levels are based only on an organizational unit's setting, not on configuration groups.
You need admin privileges for Groups, Organizational Units (top-level), and Data Security Access level management and Rule management.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Security
To see Security on the Home page, you might have to click More controls at the bottom.
- Click Assign access levels to view the list of apps.
- On the left, click Groups. Configuration groups are listed in order of priority.
- Click the group to remove.
- First, you unassign all access levels from the group. In the Apps panel, check the Name box to select all apps.
- Click Assign.
- Click Uncheck All
- Click Save.
You need admin privileges for Groups, Organizational Units (top-level), and Data Security Access level management and Rule management.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Security
To see Security on the Home page, you might have to click More controls at the bottom.
- Click Assign access levels to view the list of apps.
- On the left, click Groups. Configuration groups are listed in order of priority.
- Click the group to edit.
- On the right, select apps to edit, add, or remove
- Click Assign.
- Update the level assignments for the group.
- Click Save.
Changes to the apps access levels typically take effect in minutes, but can take up to 24 hours.
I don’t see the configuration group in the Groups list
- The group may have been created in Google Groups. Try creating a group in the Admin console.
- Search for the group's email address rather than the group's name.
- Try refreshing the setting page. Changes typically take effect in minutes, but can take up to 24 hours.
- Check that you have admin privileges for Groups.
A user doesn't have the correct access level
- Check a user’s group membership. It may take up to 24 hours before the group settings take effect.
- Find the configuration group that's determining the user's settings. If the user belongs to multiple configuration groups, you might need to change the group priority or user's group membership.
- The user may not have the product license for the feature. Context-aware access is available with certain editions of Google Workspace.
- If the user can't access an app, the app might be assigned a deleted access level. Check remove a deleted access level.
Review these events in the Admin Audit log for changes to configuration group settings:
EVENT: Context Aware Access Level App-specific Assignments Change
|
Logs when you apply or remove a configuration group. The event uses the group name, so you might use a similar naming standard for both your group name and address. The data included in a group event:
For example, you apply the configuration group CAA.02 local access to an app:
When you remove the configuration group from an app:
|
EVENT: Application Setting Group Priorities Change
|
When you change the priority of groups, the event lists the groups in their new order, from lowest to highest priority. You can identify context-aware access changes by the line: "For Data Security, group override priorities for ContextAwareAccessAppSettingsProto".
|
