Customize service access using access groups

If you have fewer than 50 users, it might be simpler to use only organizational units to Turn a service on or off for Google Workspace users.

If you turn off a service for one or more organizational units, you can turn it on for some members by using an access group. This lets you grant access for specific users without changing your organizational structure. 

Example: YouTube is currently turned off for all organizational units. But some people in Marketing and Sales need access to YouTube. To override those people’s organizational unit settings for this policy, place them in a access group and turn on YouTube for that group. 

On this page

Options for giving users access to services

In the Google Admin console, you can turn off an organizational unit’s access to a Google service, such as Google Drive. Then, if some users in that organizational unit need to use Drive, you have 2 options:

  • Move the users to an organizational unit that has Drive turned on.
  • Or add the users an access group and turn on Drive for the group. Each member can access the service, even if their organizational unit has the service turned off. 
Organizational units With an access group
Google Drive is turned off
for organizational units 1 and 2
But a group of users within organizational units 
1 and 2 can use Google Drive

How to use access groups

Access groups can turn on user access to Google services. An access group can’t turn off user access to a service that’s turned on for an organizational unit.

  • Access groups can include any users or groups in your organization.
  • You can create a group as an access group or use an existing group.
  • Access groups control only whether a service is on for a user. You control service settings (such as Drive sharing) using an organizational unit or configuration group. Learn more

Expand section | Collapse all & go to top

Compare with organizational units
  Access groups Organizational units
Function

Turn on services.

  • Turn services on or off.
  • Configure service settings.
Service access Turn on service for users in the group. Always overrides the organizational unit's setting. Turn service on or off for users in the organizational unit.
Services supported
User membership Users from different organizational units can belong to a group. Users can belong to multiple groups. A user belongs to a single organizational unit.
Inheritance Yes. Groups within a group get access to the service. Yes. Organizational units can inherit or override the parent organizational unit setting.
Automatic user licensing No Yes
Compare with configuration groups

Access groups override service access for an organizational unit. To override service settings, such as Drive sharing, use a configuration group.

Go to Customize service settings with configuration groups.

Tip: The same group can be used as both an access group and a configuration group. You can therefore use one group to give users access to a service and customize settings for the service.

Set up an access group

Follow these steps to turn on a service using an access group.

Note: To set up access groups for password vaulted apps, see Get started with password vaulted apps.

Expand section | Collapse all & go to top

Step 1. List group members and their organizational units

Identify the organizational unit for each user that you want to place in the access group. For services included with certain editions, such as Google Vault, check that users have licenses assigned.

Step 2: Turn off the service for organizational units

Set your general policy by turning off the service for each user's organizational unit. This setting applies to all users in the organizational unit. (Later, you'll turn on service access for your access group.)

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenOverview.
  3. Click the type of service: Google WorkspaceAdditional Google services, Web and mobile apps, or Google Workspace Marketplace apps. 
  4. Select the organizational unit for a user in the access group.
  5. On the right, point at the row for the service.

  6. Click Turn Off.
  7. If needed, repeat for the organizational units of other group members.
Step 3: Create the access group

You can create a group to use as a access group, or use an existing group.

Your group must be created in one of the following ways:

Important: Groups created in Google Groups can't be used as access groups. To check how a group was created, use the Groups API.

A dynamic group requires the security label, to be used as a access group.

If your group meets the above criteria, it will be available when turning on a service for a group.

Step 4: Turn on the service for the group

For this step, you need admin privileges for Groups, Organizational Units (top-level), and Service Settings. Learn more about Administrator privilege definitions.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenOverview.
  3. Click the type of service: Google WorkspaceAdditional Google services, Web and mobile apps, or Google Workspace Marketplace apps. 
  4. In the Groups section, find and select your group:

    • To view the list of access groups, click Search for a group.
    • Search by group name or address.
      If you don’t find your group, it might be a group created in Google Groups, which can't be used as an access group.  
  5. On the right, point at the row for the service and click Turn On.

    To later turn off the service for this group, click Unset.

    Tip: To set multiple services, check the box for each service and click On in the upper right.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Verify your settings

To make sure your access groups are working as intended, check service status based on a user, a service, or your access group.

Expand section | Collapse all & go to top

Verify a user's service access

Check a user's accounts page to verify their services and group memberships.

  1. View which apps are turned on for a user
  2. View a user's group memberships
Check access by service

Verify how organizational units and groups are configured for a particular service.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenOverview.
  3. Click the type of service: Google WorkspaceAdditional Google services, Web and mobile apps, or Google Workspace Marketplace apps. 
  4. At the top left, click All users in this account.

  5. Find a service with the status of On for some. This status indicates that the service is turned on for an organizational unit or access group.
  6. Point at On for some and click View details.

  7. Review the service status for all groups and organizational units.

Check access by group

Check the status of all services for a particular organizational unit or group.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenOverview.
  3. Click Google Workspace or Additional Google services.
  4. On the left, select the view.

View Actions for the service Status for the service
All users in this account

Turn on for everyone

or

Turn off for everyone (this unsets all access groups)

Status is based on groups and organizational units.
  • On for some
  • On for everyone
  • Off for everyone
Groups

On or Unset

  • On
Organizational Units

On or Off

Status is based only on organizational units.
  • On for some
  • On
  • Off

Edit access groups

Expand section | Collapse all & go to top

Turn off a service for an access group

On this page, go to Step 4: Turn on the service.

Turn a service on or off for everyone
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenOverview.
  3. Click the type of service: Google WorkspaceAdditional Google services, Web and mobile apps, or Google Workspace Marketplace apps. 
  4. On the left, click All users in this account.

  5. Point at a service and click More and thenselect Turn Off for everyone or Turn On for everyone.

    • Turn Off for everyone—Unsets access groups (no longer shown as On).
    • Turn On for everyone—No change to access groups settings.
Manage group membership

When you remove members from or delete an access group, the members no longer have access to services through that group.

Troubleshooting

Expand section | Collapse all & go to top

I don’t see the access group on the apps page
  • The group might have been created in Google Groups and can't be used as an access group.
  • Search for the group address rather than the group name.
  • Try refreshing the apps page. 
  • Check that you have the Groups admin privilege.
The user is in an access group but can’t sign in to their service
  • Check a user’s services and group membership. 
  • Check that the user has a license assigned for the service.
I turned on an access group, but the service status is off for all organizational units

The service status shows whether service is on or off for the organizational unit. It doesn’t indicate whether the organizational unit contains users in an access group. To check an access group’s services settings, follow the first 4 steps in Step 4: Turn on the service.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
5937328769222311722
true
Search Help Center
true
true
true
true
true
73010
false
false
  翻译: