Managing groups in the Cloud Console

Google groups can help you manage users at scale. Each member of a Google group inherits the Identity and Access Management (IAM) roles granted to that group. This inheritance means that you can use a group's membership to manage users' roles instead of granting IAM roles to individual users.

You can create and manage groups for your organization in the Google Cloud Console.

Required permissions

You need the following permissions to manage groups in the Cloud Console.

Cloud Identity permissions

To create, view, edit, and delete groups, in the Cloud Console or elsewhere, you need the appropriate Cloud Identity permissions. These permissions are managed by Cloud Identity, not IAM. To gain these permissions, contact your organization's administrator.

To learn about Cloud Identity permissions, see Set who can view, post, & moderate.

IAM permissions

To use the Cloud Console to manage groups, you need a role that includes the resourcemanager.organizations.get permission.

To gain this permission while following the principle of least privilege, ask your administrator to grant you the Organization Viewer role (roles/resourcemanager.organizationViewer).

Alternatively, your administrator can grant you a different role with the required permission, such as a custom role or a more permissive predefined role.

Viewing groups

To view the Google groups in your organization that you have access to, follow these steps:

  1. In the Cloud Console, go to the Groups page.

    Go to the Groups page

  2. Select the organization whose groups you want to view.

The Cloud Console displays all the groups in your organization that you can access.

Creating a group

To create a group, follow these steps:

  1. In the Cloud Console, go to the Groups page.

    Go to the Groups page

  2. Click Create.

  3. Fill in your group's details, including the group's name, email address, and an optional description.

  4. To add members to the group, click  Add member, then enter the member's email and choose their Google Groups role.

  5. When you are finished, click Submit to create the group.

Viewing and editing group details

To view and edit the details of a group, including the group name, description, and membership, follow these steps:

  1. In the Cloud Console, go to the Groups page.

    Go to the Groups page

  2. Find the group whose details you want to view, click in that row, and then click View group details.

  3. To edit the group name or description, type your new name or description in the Group name or Group description field and click Save.

  4. To edit the group's membership, do the following:

    • To add members: Click  Add members at the top of the page. Enter the names of the members you want to add, choose their Google Groups roles, then click Add to add them to the group.

    • To remove members: Select the checkboxes next to the names of the members you want to remove, then click  Remove members at the top of the page.

Managing a group in Google Groups

Some groups have features⁠—such as moderation settings, joining rules, and permissions for creating and viewing posts—that you cannot manage from the Cloud Console. To manage these features, you need to open the group in Google Groups.

To open a group in Google Groups, follow these steps:

  1. In the Cloud Console, go to the Groups page.

    Go to the Groups page

  2. Find the group that you want to manage, click in that row, and then click View in Google Groups .

This action opens the group in Google Groups, where you can manage all of your group's features. For more information, see the Google Groups help page.

Deleting a group

To delete a group, follow these steps:

  1. In the Cloud Console, go to the Groups page.

    Go to the Groups page

  2. Find the group that you want to delete, click in that row, and then click Delete group.

  3. Confirm that you want to delete the group by clicking Confirm in the confirmation dialog.

Viewing group membership change logs

If data sharing is enabled for your organization, Google Cloud will automatically generate logs any time someone changes your groups' membership. You can view these logs on the Activity page in the Cloud Console.

To enable data sharing for your organization, follow these steps:

  1. Sign in to your Admin console.

  2. From the Admin console home page, go to Account > Account Settings. Find the Legal & compliance section.

  3. In the Sharing options section, set Google Cloud Platform Sharing Options to Enabled and click Save.

To view group membership change logs, follow these steps:

  1. In the Cloud Console, go to the Activity page.

    Go to the Activity page

  2. In the Categories section of the Filters menu, select Configuration as the activity type and Audited resource as the resource type.

The Cloud Console displays all changes to group membership that have occurred since sharing was enabled, along with the user performed the change.

What's next