Manage membership automatically with dynamic groups

Populate groups based on department or other conditions

This page is for administrators who manage groups for an organization. To manage groups for an account that ends in gmail.com, go to Google Groups help.

This feature is available with Cloud Identity Premium edition. Compare editions 

As a Groups administrator, you can create groups that manage membership automatically. Create dynamic groups to add and remove members automatically, based on a membership query you create. This helps keep groups up to date, especially if your organization has many locations or changing team members.

Use dynamic groups as:

  • Email and distribution lists
  • Moderated groups and Collaborative Inboxes
  • Security groups
Where can I do this? You create a dynamic group in the Google Admin console and the Cloud Identity API. You can edit the membership query and certain settings in the Admin console. You can edit additional settings, such as message moderation, in Google Groups.

Understand dynamic group membership

Membership in dynamic groups differs from other groups in that:

  • You can’t manually add people to the group—To change members, change the membership query.
  • You have limited options for assigning permissions—In Google Groups, you can assign permissions for dynamic groups, such as message moderation, only to group members, the entire organization, or anyone on the web, if available. However, just like other groups, Groups admins always have all permissions to manage dynamic groups and change membership queries. For details on permissions, see Set permissions for managing members and content.
  • Only users can be members—Groups can’t meet membership conditions, so you can’t add a group to a dynamic group.
  • Dynamic groups can’t be members—You can’t add a dynamic group to any other group.

Create a dynamic group

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenGroups.
  3. Click Create dynamic group.
  4. Build your membership query.
    1. Condition list—Select the criteria to use for membership. 
      For example, to set up a group for people in your organization who work in a certain department, choose User department.
    2. Value field—Enter the value you want to use. You can use letters, numbers, and the underscore (_) character. If you use spaces or other characters, you'll get an error.
      You can only create one query for each group.
      As you select conditions and values, the query is generated and appears as a line of text. For example, if you select “Country code equals US,” the query appears as “user.addresses.exists(address, address.country_code=='US').”
      For more information about building queries, visit Create membership queries for dynamic groups.
  5. (Optional) To set a condition to include only users who do not meet a certain value, create the condition in step 4 and then click Exclude . In the query, the exclusion appears as an exclamation point (!).
    For more information, go to Exclude users from dynamic group.
  6. (Optional) Use multiple condition-value pairs to build your membership query. To include or exclude people who meet:
    • All conditions—From the list, select And. In the query, added conditions appear with two ampersands (&&) between them.
    • At least one of the conditions—From the list, select Or. In the query, either/or conditions appear with two vertical lines (||) between them.
    As you add condition-value pairs, note that the maximum length for the query is 10,000 characters.
  7. (Optional) To view the potential group users based on your query, click Preview.
  8. Click Create dynamic group.
  9. Enter the following information:
    Field Description
    Name

    Name that identifies the group in lists and messages. Use these guidelines:

    • Names can be up to 73 characters long.
    • Use names that make it easy to identify the group’s purpose.
    Description Purpose of the group. The information appears on the group’s About page. You could include information about group members, group content, an FAQ, and links to related groups.
    Group email

    ​Email address used for the group. If more than one domain appears, select the appropriate domain from the list. Email addresses can be up to 63 characters long. This limit doesn't include the address domain, such as @example.com.

    Some words are reserved and can't be used as email addresses. Visit Words that can't be used in email addresses.

  10. Click Save.
  11. (Optional) Change access settings to suit your needs.
  12. Click Done.
    You can create up to 500 dynamic groups. To request an increase to this limit, contact support with the limit number that you want and the use case or reason for the request. We consider requests on a case-by-case basis. To file the request, go to Contact Google Workspace support.

Assign roles in dynamic groups

You assign roles in dynamic groups in the same way as in any group. However, certain restrictions apply to dynamic group owners and managers. For details, see Understand dynamic group roles.

Automate security policies using dynamic security groups

To enforce policies using dynamic groups, add a Security label to them. For example, you might create a dynamic group to set policies for everyone at your organization who works in a specific geographic location. As users move and change their location in their user profile, the system automatically adds or removes them from the group.

  1. Create a dynamic group of users who meet the criteria you want.
  2. Add a Security label to the group.
  3. Create a policy and choose which policies take precedence by following the steps in Customize service settings with configuration groups.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
1837656663971066065
true
Search Help Center
true
true
true
false
false