Most Google Cloud APIs grant permissions to users, groups, or service accounts based on their IAM roles. However, the Cloud Identity Groups API grants permissions based on these three authorization modes:
- Admin authorization
- Non-admin authorization
- Namespace authorization
This guide explains each of these authorization modes.
The Admin authorization mode grants a user full access to all Google Groups in a domain. Any user who has the groups administrator privilege has Admin authorization. Only the super administrator for the domain can grant a user the groups administrator privilege.
For more information on granting groups administrator privilege, refer to Assign administrator roles to a user.
Non-admin authorization is an authorization mode for Google Groups that grants non-administrator users access to Google Groups based on the domain settings, group's settings and, in the case of permissions on an individual group, their membership roles in that groups.
By default, all users are able to create groups in that domain. However, domain administrators can modify the domain settings for Google Groups using the Admin Console. For information on modifying domain settings, refer to Set Groups for Business sharing options.
The owners are able to set the permissions for each membership role for a group. Default settings are as follows:
Non-members can see the group and its details when calling read-only
GroupsServiceAPIs. They can also see memberships and their details when calling read-only
Members have the same permissions as non-members.
Managers have all the permissions of members, plus the permission to manage memberships and membership roles for non-owner members.
Owners have all the permissions of managers, plus the permissions to modify the group's metadata, delete a group, and manage all memberships and membership roles.
To modify group settings, Create a group and choose group settings.
Namespace authorization is an authorization mode for identity groups that grants service accounts access to identity groups synced from the same identity source. Namespace authorization can only be granted by Cloud Search.