Nothing Special   »   [go: up one dir, main page]

Customize service settings using configuration groups

Depending on your edition of Google Workspace, configuration groups might not be available for some services or settings.

After applying general policies to organizational units that contain your departments or teams, you can make exceptions for users within those teams, without changing your organizational structure. You do this with configuration groups

Example: You’re currently restricting YouTube video approvals for all organizational units. But some people within various departments need to approve videos. To override those people’s organizational unit settings for this one policy, place them in a configuration group and give that group approval rights in YouTube. 

On this page

Features you can customize

The following settings can be applied to configuration groups:

Settings in these services Administrator features

Note: Some services have the option to turn on or off Google Takeout for a group. Learn more

* Available only with certain editions of Google Workspace

How configuration groups work

Typically, you apply service settings to departments or teams by using organizational units. You can then make exceptions for some users by using configuration groups. For example, you can restrict YouTube content for everyone in your organization, but override that setting for users who do need to view or approve videos.

  • A configuration group can include users or groups from any organizational unit.
  • A user’s group settings always override their organizational unit's settings.
  • A user can belong to multiple configuration groups (unlike organizational units).
  • You set the priority of configuration groups. A user then gets the setting of the highest priority group they belong to.

Set up a configuration group

Expand section | Collapse all & go to top

Step 1. Create a configuration group

You can create a group to use as a configuration group, or use an existing group.

Your group must be created in one of the following ways:

Important: Groups created in Google Groups can't be used as configuration groups.  To check how a group was created, use the Groups API.

A dynamic group requires the security label, to be used as a configuration group.

If your group meets the above criteria, it will be available when applying a setting to a group.

Step 2. Apply settings to the group

Requires having admin privileges for Groups, Organizational Units (top-level), and Service Settings.​

You apply settings to configuration groups only in the Admin console, not using APIs.

  1. the Admin console, go to the settings page for the app.
  2. Click the setting you want to change.
    For example, here are the YouTube settings for your top-level organization:

  3. On the left, click Groups.
    Any existing configuration groups are listed in order of priority.
  4. Click Search for a group. Enter a group address (not group name) and then select the group.
    • Start by adding your configuration groups from highest to lowest priority. When you add a new group, place it at the lowest priority.
    • If you don’t find your group, it might have been created in Google Groups or it's a dynamic group that's missing the security label.
  5. Choose the settings for your configuration group.
    By default, a new group has the settings of your top-level organizational unit.


     

    For organizations with multiple types of licenses: If you have licenses for an edition that doesn't include a certain setting, a Flag Flag image for multiple licenses appears next to the settings for a group. This flag appears whether or not the group contains users who don't have the required license.

  6. Turn on or off the configuration group.
    • On—Click Save.
      The settings apply to the configuration group’s members. To close the panel, click Cancel.
    • Off—In the Groups panel, click Unset or Remove  (clicking Cancel won't remove the group).
  7. Adjust the priority of the group by dragging the group up or down. 
    • To set a group as priority 1—Drag your desired group up to priority 2, then drag the current priority 1 below. You can also enter a number in the priority box or click the arrows next to the priority box.
    • If you have fewer than 4 groups—If you reorder groups containing the same users, those users get the setting of their highest priority group. You might get this alert:

      “More than one policy may be linked to the same users..."

      This general alert appears if you add, unset, or change the priority of any configuration group, even if the groups don’t contain the same users.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Step 3. Check a user's settings

You can verify that a user has the setting you intend.

Requires having admin privileges for Groups, Organizational Units (top-level), and Service Settings.

  1. In the Admin console, go to the settings page for the app. 
  2. In the top left, click Users.
  3. Click Select a user and search for the user’s address (not name).
  4. Select the user to view their settings. Below the name of the setting, you can click the configuration group or organization unit that determined the user's settings.


Note: If you check the user's organizational unit, the service setting won't show as Overridden. The settings, Overridden and Inherited, are based only on an organizational unit's setting, not on configuration groups.

Review changes in the Audit log

The event Application Setting Group Priorities Change logs when you apply a configuration group or change order of priority. The event uses the group name rather than the group address. You might want to use a similar naming standard for both your group name and addresses.

For example, you apply the group Link anyone to the Drive Link Sharing setting. 

Application Setting Group Priorities Change
For Drive and Docs, group override priorities for Link Sharing 
changed to Link anyone

When you change the priority of groups, the event lists the groups in their new order, from lowest to highest priority.

Application Setting Group Priorities Change
For Drive and Docs, group override priorities for Link Sharing 
changed to No Links < Link users < Link anyone

Most other events use a similar format for both organizational units and configuration groups. The prefix, group_email, identifies a configuration group.

For example, overriding settings with an organizational unit:

Drive Setting Change
PUBLISHING_TO_WEB for Drive changed from INHERIT_FROM_PARENT to PUBLIC 
(org_unit_name: { Marketing}

Applying settings with a configuration group:

Drive Setting Change
PUBLISHING_TO_WEB for Drive changed from INHERIT_FROM_PARENT to PUBLIC 
(org_unit_name: {example.com}, group_email: {Drive_p02_share_external@example.com})

For events with configuration groups, your top-level organizational unit is listed as the org_unit_name.

Managing large numbers of users or policies

Here are some best practices for managing multiple configuration groups across a medium to large organization.

Expand section | Collapse all & go to top

Options for configurations groups

Before you create or apply configuration groups, you typically map your user groups to their settings. For example, these user groups have different permissions for sharing Drive files.

  Drive sharing permissions
User group Share with
any domain
Share with
trusted domains
Share
only internally
Sales Managers    
Sales Team    
Sales Operations    

 

Next, you can use configuration groups based on your user groups, user settings, or a combination that fits your organization.

Option 1: Use configuration groups based on user groups

Use your user groups as configuration groups. Then customize settings for each configuration group. If a user belongs to multiple groups, you set which group determines the user's settings (described later in Setting priority).

For example, with Drive settings, you can let specific user groups share files externally.

Applying settings directly to user groups is a good option for:

  • Organizations with fewer than 50 users or a small number of settings
    (You don't need to create more groups, and you can fine-tune settings for each user group.)
  • Testing a service setting
  • Apps that a specific group of users use
  • Dynamic groups, which automatically manage group membership by user attributes, such as location or role.

Option 2: Create configuration groups based on user settings

If you manage many settings or users, you might create groups for different levels of settings.

For example, create a configuration group for each level of Drive sharing permissions. Then, add your user groups as members of the configuration group.

The configuration group acts as a container for settings. You typically have fewer configuration groups to manage and prioritize (described below). Also, you can use the Groups API or Directory Sync to manage user and group membership.

Setting priority for configuration groups

When a user belongs to multiple configuration groups, you set which configuration group has priority in determining the user’s setting.

In the Admin console, groups are listed from highest to lowest priority. The user gets the settings of the highest priority group they belong to.

You change the priority of a configuration group by moving the group up or down in the Groups list. Setting priority order is available only in the Admin console and not any of the APIs.


 

How priority works

When a user belongs to multiple groups, they get the settings of their highest priority group. In this example, a sales manager belongs to 3 user groups. Each group has a different setting for Directory Profile editing.

With the configuration groups in this priority order, Sales managers can edit their name and location in their Directory profiles.

If the Edit location group is the highest priority, sales managers can edit only their location and Regional sales can edit their name and location.

User settings and multiple groups

Settings aren't added across a user's groups. In this example, a marketing manager belongs to 3 groups, but gets the settings only of the highest priority group. They can edit their name and location, but not their photo.

Ordering groups

For Drive settings, changing group priorities or membership can affect file sharing and access.

For example, if you transfer ownership of a file to a user in another configuration group, the file's sharing permissions change to the permissions of the new group.

To track priority and settings:

  • Consider priority in your group structure and watch for deeply nested groups, which might be challenging to trace to settings.
  • When you order your configuration groups, consider placing the group that applies to the fewest people as the highest priority.


Planning and designing configuration groups

Planning your configuration group structure is likely the step that takes the most time and review.

Mapping your service settings

You might review your organizational units for settings that you want to manage with groups. If you already use a roles-based or teams approach to settings, you can use groups in the same way.

If your account has multiple editions of Google Workspace:

  • The configuration group settings apply only to users who have access to the feature or service.
  • Depending on your edition, some Drive settings apply to your entire organization. You can use configuration groups to customize Drive settings for other users.

Setting naming standards

Choose a group naming standard for easier management and auditing. For example, use a standard that includes the setting name and priority number. The Groups list shows up to 37 characters of a group name. Pointing to a group shows the full name.

YouTube_1_approvers
YouTube_2_access_unrestricted
YouTube_3_access_moderate
YouTube_4_access_strict

If you manage many types of groups, you might add a prefix such as "cf" to indicate a configuration group. Also, use a decimal place to avoid editing your existing group names when you add a configuration group.

cf_Drive_p1.0_SHARE_any
cf_Drive_p2.0_SHARE_trusted
cf_Drive_p2.1_SHARE_trusted_access_external
cf_Drive_p3.0_SHARE_internal

Creating groups

Use groups created in the Admin console, Directory API, or Google Cloud Directory Sync. Groups created in Google Groups can't be used as configuration groups. (The Admin console doesn’t show whether a group is created in Google Groups.)

You can manage the configuration group in any tool. You might set strict permissions for adding or deleting users, posting to the group, or preventing users from leaving the group (available only in the Groups API).

Troubleshooting

Expand section | Collapse all & go to top

I can't find the Groups list
  •  The configuration groups feature might not be available for a service. Check the list in the above table.
  • For Drive and Data regions settings, your edition of Google Workspace might not support configuration groups. 
I don’t see my configuration group in the Groups list
  •  The group has possibly been created in Google Groups. Try creating a group in the Admin console.
  • The group might be a dynamic group that needs the security label. Learn more 
  • Check that you have admin privileges for Groups.
  • You might be using a group alias instead of the group name. 
  • Try refreshing the setting page. Changes can take up to 24 hours but typically happen more quickly. Learn more
  • Search for the group's email address rather than the group's name.
A user doesn't have the correct service settings
  •  Check a user’s group membership. Changes can take up to 24 hours but typically happen more quickly. Learn more
  • Find the configuration group that's determining the user's settings. If the user belongs to multiple configuration groups, you might need to change the group priority or user's group membership.
  • The user might not have the product license for the feature. Some features are available only with certain editions.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
7610554891692116009
true
Search Help Center
true
true
true
true
true
73010
false
false