With configuration groups, you can apply Context-Aware Access levels to groups of users rather than organizational units. Configuration groups can include users from any organizational unit in your business. For example, let a team of contractors access Gmail only on your corporate network.
How configuration groups work
- Configuration groups can contain any users in your organization. Also, you can create a configuration group that acts as a container for access levels, and then add your user groups (nested groups).
- A user can belong to multiple configuration groups, unlike organizational units. You set the priority of the configuration groups, and the user gets the setting of the highest priority group they belong to.
- A user's group access level for an app always overrides their organizational unit's access level.
- If a configuration group doesn't specify an access level for an app, then the app uses the access level set by the user's organizational unit.
Design configuration groups for Context-Aware Access
Configuration groups work a little differently for Context-Aware Access compared to other Google Workspace settings. As you design your groups and policies, follow this information and the tips:
Options for configuration groups
You usually define access levels for organizational units, and then determine custom access levels for configuration groups. For example, you might have configuration groups for "Open access" or "Lockdown access" so you can quickly grant or limit specific users' access.
Typically, you'll use a combination of configuration groups:
Use your existing user groups
You set the access level for each app (Gmail or Google Drive, for example) in the user group. If a user belongs to multiple groups, you set which group determines the user's settings (described later in the Priority section).
Applying access levels directly to user groups is a good option for:
- Testing Context-Aware Access.
- Managing access for specific groups of users, such as IT staff or a team on remote assignment.
- Managing access for organizations with fewer than 50 users or a small number of access levels. You don't need to create more groups and you can finely tune settings for each user group.
Create configuration groups based on access levels
Alternately, you can assign access levels to groups. You create a configuration group and assign access levels for an app or apps. Then you add user groups as members of the configuration group.
Larger organizations might find this approach useful for managing access group policies and priorities (described below).
How priority works with access levels
When a user belongs to multiple configuration groups, you set which configuration group has priority in determining the user's app access.
In the Google Admin console, you must first select an application in order to display its corresponding group priority list. Groups are listed from highest to lowest priority. A new configuration group always has the lowest priority and is added to the bottom of a configuration group list.
Priority for Context-Aware Access
A user gets the app settings of the highest priority group they belong to. If the group has no access level for a particular app, then the access level of the user's next highest priority group is used, and so on.
In the Admin console, you can check which group or organizational unit determined a user's app access level. In the example below, the group "Drive Security" set the user's Drive access.
| User's apps | Access levels | Inherited from |
|---|---|---|
 Google Calendar |
Company network | Organizational unit: Sales |
 Drive |
Company network, Device security | Group: Drive Security |
 Gmail |
Device security | Organizational unit: Sales |
 Google Vault |
<none> | <none> |
For fine-grained control, you can use groups to customize access levels for each app. For example:
| User's apps | Access levels | Inherited from |
|---|---|---|
|
Calendar |
Company network | Organizational unit: Sales |
|
Drive |
Company network, Device security | Group: Drive Security |
|
Gmail |
Device security, Geo Canada | Group: North America |
|
Vault |
Device restricted, Company network | Group: Vault Investigator |
Apply priority to configuration groups
- Consider placing critical or sensitive configuration groups at high priority. For example, your top priority group might be an "Urgent Access" group that overrides any groups limiting access.
-
Access levels aren't added across a user's groups. In this example, a user belongs to 3 user groups, but only their highest priority configuration group, "Device" sets their access level.
Planning and designing configuration groups
Planning your configuration group structure is likely the step that takes the most time and review.
Naming and searching for groups
Set a group naming standard for easier searching, prioritizing, and auditing. For example, add a prefix such as "caa" to indicate context-aware configuration groups. Also, use a decimal place to avoid editing your existing group names when you add a configuration group.
 |
 |
Search by group address | |
 |
View list of groups | ||
<ul>
<li><b>Search for a group:</b> You might want to set up a naming standard that includes the setting name and priority number, for example:</li>
<blockquote>
<p>caa_p0.0_unrestricted_access@example.com<br>
caa_p1.0_lockdown_access@example.com<br>
caa_p3.0_Gmail_IP_Device@example.com<br>
caa_p3.1_Gmail_IP@example.com</p>
<ul>
<li><b>View the groups:</b> The Groups panel displays the <b>group name</b> (maximum of 37 characters) in the priority order. Pointing to a group shows the full name. For example:</li>
<blockquote>
<p>CAA p0.0 - Unrestricted access all apps<br>
CAA p1.0 - Lockdown access<br>
CAA p3.0 - Gmail IP corp & device security<br>
CAA p3.1 - Gmail IP corp</p>
<p><b>Ordering groups</b></p>
<p>To keep track of priority and settings:</p>
<ul>
<li>You might place groups that apply to the fewest users or define critical policies (such as "Lockdown access" or "All access") at the highest priority.</li>
<li>Consider priority in your group structure and watch for deeply nested groups, which might be challenging to trace to settings.</li>
<p><b>Creating groups</b></p>
<p>You must use groups created in the Admin console, Directory API, or Google Cloud Directory Sync. Groups created in Google Groups can't be used as configuration groups. (The Admin console doesn't show whether a group was created in Google Groups.)</p>
<p>You can manage the configuration group in any tool. You might set strict permissions to add or delete users, turn off posting to the group, or prevent users from leaving the group (available only in the Groups API).</p>
Set up configuration groups
Before you start: Define the Context-Aware Access levels and create your configuration groups (preferably containing 1 or 2 test accounts).
Step 1. Apply a configuration group
You need admin privileges for Groups, Organizational Units (top-level), and Data Security Access level management and Rule management.
-
In the Google Admin console, go to Menu
SecurityAccess and data controlContext-Aware Access.Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges.
- Click Assign access levels to view the list of apps.
- In the Context-Aware Access section, click Groups.
- Choose an option:
- Click an app. Any existing configuration groups that have an access level assigned for your app are listed in order of priority.
- Click Search for a group to review a list of all groups, not only configuration groups. You can enter text to filter the results.
- Click the group. The application table lists all applications with their access level assignments.
- If you don't find your group, it may have been created in Google Groups. You must create configuration groups in the Admin console, Directory API, or Google Cloud Directory Sync.
- Start by adding your configuration groups from the highest to the lowest priority. When you add a new group policy for an app, it's placed at the lowest priority.
- Click one or more apps, and then Assign.
- Select the access levels for the app in the group and click Save. By default, a new group has no assigned access levels.
For organizations with multiple types of Google Workspace licenses: The group access levels apply only to users assigned a Google Workspace edition that includes Context-Aware Access control.
Step 2. Check the access levels for a user
<div>
<p>You need <a href="https://support.google.com/a/answer/1219251" target="_blank">admin privileges</a> for Groups, Organizational Units (top-level), and <a href="https://support.google.com/a/answer/1219251#Context_Aware_Access" target="_blank">Data Security Access level management and Rule management</a>.</p>
<ol>
<li>
<div>
In the Google Admin console, go to Menu SecurityAccess and data controlContext-Aware Access.
Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges.
</div>
<p><b>Note</b>: When you view an organizational unit, the <b>Inherited</b> levels are based only on an organizational unit's setting, not on configuration groups.</p>
Remove a configuration group
<div>
<p>You need <a href="https://support.google.com/a/answer/1219251" target="_blank">admin privileges</a> for Groups, Organizational Units (top-level), and <a href="https://support.google.com/a/answer/1219251#Context_Aware_Access" target="_blank">Data Security Access level management and Rule management</a>.</p>
<ol>
<li>
<div>
In the Google Admin console, go to Menu SecurityAccess and data controlContext-Aware Access.
Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges.
</div>
The configuration group no longer appears in the Groups list. Changes can take up to 24 hours but typically happen more quickly. Learn more