WorryFree Computers   »   [go: up one dir, main page]

What’s changing 
You can now quickly surface information regarding specific users and the groups they are part of directly in the Admin console. 
  • View direct and indirect members of a group: Enables you to see an expanded view of all memberships in a group. This allows to see a single view of all memberships for a nested group structure 
  • Check Membership: This allows you to validate whether a user is a member of a particular group. 
  • List all groups for a member: You can view a list of all groups a user is a member of, the email address or addresses associated with the group, and the group relation (indirect, direct, or both). See below for more information. 

Who’s impacted 
Admins 



Why it’s important 
In order to manage access to content and resources within their organization, Admins use numerous groups to ensure proper access for their users. This also involves nesting groups, adding another layer of complexity. 

This feature will give Admins a clear understanding of the group structures for any user in their organization, all in one place. We hope this feature makes it easier for Admins to take action on managing their users by providing all the necessary information, such as all groups a user is part of and their membership status. 



Getting started


Availability

  • Available to Google Workspace Enterprise Plus, Enterprise Standard, Education Plus, and Cloud Identity Premium customers
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers


Resources

Labels: , , , ,

What’s changing 
There has been a change to how the Google Calendar API manages usage. Previously, Calendar API queries were monitored and limited daily. These queries are now monitored and limited on a per-minute basis. 

See below for more information. 


Who’s impacted 
Admins and developers 



Why it’s important 
This change introduces better behavior when a quota is exceeded, as requests will be rate-limited until the quota is available rather than falling all requests for the rest of the day. Additionally, this will help developers identify issues around quota enforcements faster. 

More information regarding your usage and quota limits can be found in the Google API console



Additional details 
To ensure you’re working efficiently with your quota, we recommend: 
  • Using push notifications instead of polling. 
  • Randomized timing to ensure user requests are spread out evenly, rather than bursts of requests. 
  • Using incremental synchronization with sync tokens for all collections instead of repeatedly retrieving all the entries. 
  • Increasing page size to retrieve more data at once by using the max results parameter. 
  • Updating events when they change to avoid recreating all the events on every sync. 
  • Using exponential backoff for error retries to make rate-limiting work properly. 


Getting started 
  • Admins and Developers: Use this guide to learn more about how to view your API usage and limits.
  • End users: There is no end user impact for this feature. 

Availability 
  • Available to all Google Workspace customers, as well as G Suite Basic and Business customers 

Resources 
Labels: , , ,

What’s changing
We’re adding a User Invitation API to the Cloud Identity API. This new API allows you to identify and manage unmanaged accounts

Unmanaged accounts are users with consumer Google accounts that share your organization's email address. The API will enable you to manage these accounts at scale, and automate sending of invites to these users to transfer their account to a managed state. to a managed state. 

The User Invitation API is initially available as an open beta, which means you can use it without enrolling in a specific beta program. See our documentation to learn more about how to use the API


Who’s impacted 
Admins 


Why you’d use it 
Unmanaged accounts occur when a user registers for a personal Google account using an email address that matches your domain. These accounts generally exist because a user has previously signed up for a personal Google Account using their work or educational email address. 

If your organization then signs up for Google Workspace or Cloud Identity and attempts to provision a managed account with the same primary email address, the conflict needs to be resolved. 

Previously, you could only manage these existing accounts via the Admin console. The User Invitation API provides another option which can help automate resolution of these conflicts, and can make it easier to manage these conflicts at scale. 


Getting started 
Rollout pace 
  • This feature is available now for all users in beta. 
Availability 
  • Available to all Google Workspace customers, G Suite Basic and Business customers, and Cloud Identity customers 
Resources 
Labels: , , , ,

Quick launch summary 
Google Workspace customers can set up and manage apps for app access control and domain-wide delegation through the Admin console at Admin console > Security > API Controls. However, for some customers the lists of apps in these sections can be long, which can make it difficult to see and manage the information in the Admin console. 


With this launch, we’re adding new options to download 3rd party API apps and domain wide delegated apps to a CSV file. This file will contain all the information which is displayed in the Admin console list. Having the information in CSV format may make it easier to understand and analyze how these apps and features are accessed in your organization. 


Getting started 
  • Admins: You’ll see the option to download app and client info at Admin console > Security > API Controls > App access control or Domain wide delegation. Use our Help Center to learn more about app access control and domain-wide delegation
  • End users: No end user impact. 
Rollout pace 
Availability 
  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers 
Resources 
Labels: , , , ,

Quick launch summary 
Dynamic groups are now generally available. Dynamic groups work the same as other Google Groups, but with the added benefit that their memberships are automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations. 


By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins. 


See our beta announcement for more details and example use cases for dynamic groups. Note that at launch, you won’t be able to manage policies—like context-aware access policies—using dynamic groups. We are working on adding this functionality in the future, and will announce it on the Workspace Updates blog when it’s available. 


This joins our other recent announcements for features that make it easier to manage groups within your organization. You can now also assign groups as security groups, set group membership expiration, and see indirect membership visibility and membership hierarchies via API. We hope these features make it easier to use groups to meet the access, security, and communication needs of your organization. 


Getting started 
Rollout pace 
Availability 
  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Plus, and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, and Education Fundamentals, or G Suite Basic, Business, and Nonprofits customers 
Resources 
Labels: , , , ,

Quick launch summary 
We’re making security groups generally available. Security groups help you easily regulate, audit, and monitor groups used for permission and access control purposes by simply adding the security label. See our beta announcement for more details and use cases for security groups

We’ve recently announced several other features that can help you better manage groups in your organization and improve your security posture. These include group membership expiration and the indirect membership visibility and membership hierarchy APIs


Getting started 
Rollout pace 
Availability 
  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Standard and Enterprise Plus customers, as well as G Suite Basic, Business, Education, Enterprise for Education and Nonprofits customers 
Resources 
Labels: , , , , ,

Quick launch summary 
The Cloud Identity Groups API feature that enables you to set expirations for group memberships is now generally available. It was previously available in beta


This enables admins to set an amount of time that users and service accounts are members of a group. Once the specified time has passed, users will be removed from the group automatically. Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. 




This launch is another enhancement to the Cloud Identity Groups API. We recently also made the indirect membership visibility and membership hierarchy APIs generally available. Together, these make it easier to manage permissions and access control in your organization. 


Getting started 
Rollout pace 
Availability 
  • Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers 
Resources 
Labels: , , , , ,

Quick launch summary We’re launching a Postmaster Tools API, allowing programmatic access to the email data found in the Postmaster Tools user interface. You can use the API to gather metrics on bulk emails sent to Gmail users—such as delivery errors, spam reports, feedback loop performance, and more. You can also import or merge the data into other systems and diagnose issues with email delivery.


Getting started
  • Admins: There is no admin control for this feature. 
  • End users: Registered domain owners can use this API to programmatically extract their domain’s data into their systems. Check out the Developers Guide to learn more about the using the Postmaster Tools API.
Rollout pace
Availability
  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers

Labels: , , ,

Quick launch summary 
We’re making it easier to identify, audit, and understand indirect group membership via the Cloud Identity Groups API. Specifically, we’re making the membership visibility and membership hierarchy APIs generally available. These were previously available in beta. 

Using “nested” groups to manage access to content and resources can help decrease duplication, simplify administration, and centralize access management. However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access and why. These APIs help provide all of the information you need to understand complex group structures and hierarchies, and can help you make decisions about who to add to or remove from your groups. 

See our beta announcement for more information and use cases for the APIs


Getting started 

Rollout pace 

Availability 
  • Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers 

Resources 
Labels: , , , ,

Quick launch summary 
Shared external contacts are users outside of your domain who you add to your company directory. Previously, there was a limit of 50,000 external contacts. Now that limit is 200,000. Additionally, the total storage limit has been increased from 20MB to 40MB. 

Shared external contacts help enable collaboration between users in your organization and any external users who they may need to communicate with frequently, such as consultants and partners. When a user is added as a shared external contact, users in your organization can find the profile information for them in many Google services, such as when they enter addresses in Gmail. 


Getting started 
Rollout pace 
Availability 
  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers 
Resources Google Workspace 
Labels: , , , ,

Quick launch summary
Last month, we launched breakout rooms in Google Meet to G Suite Enterprise for Education customers. We’re now making breakout rooms available to Google Workspace, Essentials, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus customers, as well as G Suite Business and Enterprise for Education customers.

In addition, we’re introducing the following new features to improve your experience in breakout rooms:
  • Ask for help: Participants can ask for help when they are in a breakout room, and the moderator can see the request from the moderator panel and join the breakout room.
  • Timer/countdown: The moderator can set up a timer for a breakout session. Participants will see a banner to keep track of how much more time they have in the breakout room. They’ll also be alerted when there are 30 seconds left so that they can wrap up the discussion and, when time is up, participants will be prompted to go back to the main call.
  • Additional supported participants: Dial-in phone participants can now be assigned to breakout rooms. Starting in two weeks, anonymous users will also be able to be added to breakout rooms.
Getting started
  • Admins: There is no admin control for this feature.
  • End users: This feature will be available by default. Visit the Help Center to learn more about using breakout rooms in Meet.
Rollout pace 
Availability
  • Available to Workspace Essentials, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Business and Enterprise for Education customers
  • Not available to Workspace Business Starter, as well as G Suite Basic, Education, and Nonprofits customers
ResourcesRoadmap

 

Labels: , , , ,

What’s changing 
We’re announcing new integrations with our BeyondCorp Alliance partners Check Point and Lookout. The integrations, initially available in beta, are built using the Devices API and enable customers to use third party signals in context-aware access decisions. 


Who’s impacted
Admins 


Why it’s important 
In the BeyondCorp security model, device inventory, state, and security posture are central to making context-aware access decisions. So far our context-aware access solution obtained these signals from first party (i.e. Google) sources, such as Endpoint Verification. However our vision has always been to help customers to fully leverage their existing investments in security tools and controls, add key functionality and signals to Google’s context-aware access to achieve superior access control security posture for our customers. The BeyondCorp Alliance is a group of partners that share our Zero Trust vision and who are committed to working with us to help our joint customers make it a reality. 


Today, we are excited to announce the first integrations (in beta) with our BeyondCorp Alliance partners Check Point and Lookout, to use third party signals in our context-aware access decisions. For example, the mobile threat defence system might detect malware on the device and notify Google about a reduced security assurance, and customer-defined access rules can reduce the level of access allowed from such devices, without impacting access for that user from other devices or for other users. The integrations are built using the new Devices API we announced earlier this year. The API was designed to be used by partners in the BeyondCorp Alliance to add device security metadata, and also by customers to manage their device fleet. 


Getting started 
  • Admins: Google customers who use Checkpoint or Lookout as their mobile threat defense solutions can benefit from the integration. Visit our Help Center for more information and to learn more about how to set up third-party partner integrations. You can also see blog posts by our partners to see more about how you can use Check Point or Lookout solutions as part of this integration. 
  • End users: No impact for end users. 
Rollout pace 
Availability 
  • Available to Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, and Enterprise Standard, as well as G Suite Basic, Business, Education, and Nonprofits customers
Resources 
Labels: , , , , ,

Quick launch summary 
We’re adding a Count API to the Vault API. The Count API enables you to see the number of messages, files, or other data items that match a search query. 


You can use the number of items to estimate the size of the export, and then choose to proceed with the export or adjust the query to retrieve fewer items. This can help ensure a successful export by reducing the likelihood of export errors due to size. 


Getting started 
  • Admins: Visit the API documentation to learn more about the Count API and review an example
  • End users: No end user impact. 
Rollout pace 
Availability 
  • Available to Business Plus, Enterprise Standard, Enterprise Plus, Enterprise for Education, G Suite Business, as well as other customers with the Vault add-on license 
  • Not available to Essentials, Business Starter, and Business Standard customers, as well as G Suite Education, Nonprofits, and Basic customers  
Resources Roadmap 
Labels: , , ,

What’s changing 
We’re launching new APIs in beta to help better identify, audit, and understand indirect group membership (also known as ‘transitive’ or ‘nested’ group membership, see explanation below). The indirect membership visibility, membership hierarchy, and check APIs are part of the Cloud Identity Groups API and enable you to: 
These APIs are currently available as an open beta, which means you can use it without enrolling in a specific beta program. Use our API documentation to learn more. 



Who’s impacted 
Admins and developers 



Why it’s important 
These features will help provide all of the information you need to create visualization of complex group structures and hierarchies. Having this kind of membership visibility can help you make decisions about who to add to or remove from your groups. 


Customers often use groups to manage access to content and resources within their organization. Using ‘nested’ groups is common as it can decrease duplication, simplify administration, and centralize access management. 


However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access to content or resources and why they have access. These APIs simplify finding out these answers by making it easier to identify the direct and indirect members for a group. Some use cases include: 
  • A security team can quickly identify all group memberships and associated nested memberships when a bad actor account is identified. 
  • An admin could perform a deep-dive on group structure for audit and compliance. By using the APIs to list and validate direct and indirect members for groups with many nested groups. 
  • A developer could extract group information via the API and feed it to a visualization tool that supports DOT format to make auditing and visualizing complex nested structures easier. 


Additional details 
Indirect memberships, also known as transitive memberships, come from ‘nested’ groups. Nested groups refer to situations where groups are members of other groups. As a result, users in the sub-group are members of both groups. For example, group Y is a member of group X. Users in group Y are direct members of group Y and indirect members of group X. 


Getting started 
Rollout pace 
  • This feature is available now for all users in beta. 
Availability 
  • Available to Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to Essentials, Business Starter, Business Standard, and Business Plus, as well as G Suite Basic, Business, Education, and Nonprofits customers
Resources 
Labels: , , ,

What’s changing 
You can now add and remove content restrictions via the Drive API. By using the new ContentRestriction API, any file type in Drive can be “locked,” preventing changes to the item’s content, title, and comments. 

Content restrictions can be added or removed via the API and removed via Google Drive on the web by any user who has at least editor access level for the item. 

Learn more about the new API functions in this Drive ContentRestriction (Locking) API documentation


Who’s impacted 
Admins, end users, and developers 


Why you’d use it 
While Google Drive’s collaborative editing and commenting features are often helpful and beneficial, sometimes it’s important to know that changes are not being made to a document. Locking a file with the ContentRestriction API can help accomplish this, and could be used to: 
  • Lock authoritative versions of documents to create “official” or “final” documents for record keeping. 
  • Prevent changes to documents that are involved in a workflow, automation, or business process. 
  • Freezing activity on a document for a period of reviews or audits. 

Getting started 
Rollout pace 
  • This feature is available now for all users. 
Availability 
  • Available to Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers
Resources Roadmap 
Labels: , , ,

What’s changing 
Dynamic groups let you create a group with membership that is automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations. You can manage dynamic groups in the Cloud Identity Groups API and the Admin console. 

Dynamic groups is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 
Admins and developers with group create and user read privileges


Why you’d use it 
Dynamic groups work the same as other Google Groups with the added benefit that their memberships are automatically kept up-to-date. This means you can use them for the same functions, including for distribution lists, access-control list (ACL) management, and more. By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins. 

Here are some examples of how you can use dynamic groups. You can create groups of: 
  • All users based in your New York office, which you can then use for email communications related to that office location. 
  • All engineers, which you can then use to provide access to specific tools. 


Additional details 
At launch, you won’t be able to manage policies such as context-aware access policies using dynamic groups. Once available, you will be able to create a dynamic group which you could then use to manage specific context-aware access policies. We are working on adding this functionality in the future, and will announce it on the G Suite Updates blog when it’s available. 


Getting started 


Rollout pace 
  • This feature is available now for all eligible users. 
Availability 
  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Essentials, G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 
Resources 
Labels: , , , , , ,

What’s changing 
We’re adding the ability to set expirations for group memberships using the Cloud Identity Groups API. This enables admins to set an amount of time that users are members of a group. Once the specified time has passed, users will be removed from the group automatically. 

Membership expiry is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 
Admins and developers 


Why it’s important 
Groups are a powerful way to manage permissions and access control in your organization.In many cases,, there’s a known amount of time that a user should be a member of a group. This can make managing membership time consuming, and increases the possibility that a user has overly-broad access. 

Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. This can help: 
  • Increase security by ensuring users do not have long lived membership in groups, and that your group memberships don’t become too expansive. 
  • Manage security groups by using group membership with our recent launch of security groups
  • Reduce admin time and administration costs by automating some group management tasks 
Getting started 
Rollout pace 
  • This feature is available now for all users. 
Availability 
  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, G Suite Essentials, and Cloud Identity Free customers 
Resources 
Labels: , , , , , ,

Quick launch summary 
We recently announced betas for two new features related to service accounts. Now, these features are generally available: 
  • Support for service accounts in Google Groups, which makes it easier to use service accounts with groups while increasing security and transparency. Learn more
  • Use service accounts with Google Groups APIs without domain-wide delegation, which enables service accounts to perform critical business processes without compromising your strong security and compliance posture. Learn more

Groups are a critical tool for customers to manage their G Suite deployment. Many customers use service accounts with Groups to automate user management, manage migrations, and integrate G Suite with other apps, tools, and services. Use the announcements linked above to learn more about the features and how you can use them. 

Learn more about these and other launches in our Security Blog post highlighting 10 new security and management controls for security at scale

Service accounts in Google Groups 

Getting started 
Rollout pace 
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , , , ,

Quick launch summary 
We’re adding two new APIs to the Admin SDK Directory API


Sign user out of all sessions 
This new endpoint allows an admin to programmatically sign a user out of all web and device sessions. This can help manage account access when users leave an organization, if a device is lost or misplaced, or if a user forgot to sign out of a shared device. We do not recommend using this to sign users out and force a sign-in periodically; you can explore the Google web session control feature for that use case. 


Turn off 2-Step Verification 
This new endpoint allows an admin to turn 2-Step Verification (2SV) off programmatically. This action also removes all 2SV methods on the account. Note that in some cases, 2SV cannot be turned off for a user due to other policies that may be in effect. For example, a user may be enrolled in the Advanced Protection Program, or “2SV enforced” is turned on; in such cases the API will fail with an appropriate error code and message. 

Note that both of these actions can already be performed via the Admin console. The current launch makes them accessible via API as well so they can be integrated into automated offboarding workflows. 


Getting started 
  • Admins and developers: This feature will be available via the Admin SDK Directory API. Use the API documentation to learn more about the new endpoints to sign users out or turn off 2-Step Verification
  • End users: There is no end user setting for this feature. 
Rollout pace  
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , , ,

What’s changing 
We’re making security groups available in beta. Security groups help you easily regulate, audit, and monitor groups used for permission and access control purposes. They enable admins to: 
  • Apply a label to any existing Google Group to distinguish it from email-list groups. 
  • Provide strong guarantees that: 
    • External groups (owned outside your organization) and non-security groups cannot be added as a member of a security group. 
    • Security labels, once assigned to a group, cannot be removed. 
Soon, you’ll be able to use more granular admin roles to separate administration of security and non-security groups. Keep an eye on the G Suite Updates blog for an announcement when that rolls out. 


Who’s impacted 
Admins and developers 


Why you’d use it 
Groups are used in a variety of ways. This can include groups that help teams communicate and collaborate, as well as groups that control access to important apps and resources. Security groups can help customers manage these categories of groups differently to increase their overall security posture. 

For example, if you have compliance or regulatory requirements for managing access control, you may have set up naming conventions to keep track of which groups were used for this purpose. With security groups, you can now assign a security label to these groups and more easily manage them without having to use workarounds like naming conventions. 


Getting started 
Rollout pace 
  • This feature is available now for all users in beta. 
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , , , ,