Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Autentikasi dan otorisasi
Sebagian besar Google Cloud API memberikan izin kepada pengguna, grup, atau akun
layanan berdasarkan
peran IAM mereka. Namun,
Cloud Identity Groups API memberikan izin berdasarkan tiga
mode otorisasi ini:
Otorisasi admin
Otorisasi non-admin
Otorisasi namespace
Panduan ini menjelaskan setiap mode otorisasi ini.
Otorisasi admin
Mode Otorisasi admin memberi pengguna akses penuh ke semua Google Grup di
domain. Setiap pengguna yang memiliki
hak istimewa administrator grup
memiliki otorisasi Admin. Hanya
administrator super untuk
domain yang dapat memberikan hak istimewa administrator grup kepada pengguna.
Otorisasi non-admin adalah mode otorisasi untuk Google Grup yang
memberikan akses kepada pengguna non-administrator ke Google Grup berdasarkan setelan
domain, setelan grup, dan, dalam kasus izin di grup
tertentu, peran keanggotaan mereka di grup tersebut.
Secara default, semua pengguna dapat membuat grup di domain tersebut. Namun,
administrator domain dapat mengubah setelan domain untuk Google Grup menggunakan
Konsol Admin. Untuk informasi tentang cara mengubah setelan domain, lihat
Menetapkan opsi berbagi Grup untuk Bisnis.
Pemilik dapat menetapkan izin untuk setiap peran keanggotaan untuk grup.
Setelan defaultnya adalah sebagai berikut:
Non-anggota dapat melihat grup dan detailnya saat memanggil API GroupsService
hanya baca. Mereka juga dapat melihat langganan dan detailnya saat
memanggil API MembershipsService hanya baca.
Anggota memiliki izin yang sama dengan non-anggota.
Pengelola memiliki semua izin anggota, ditambah izin untuk
mengelola langganan dan peran langganan untuk anggota non-pemilik.
Pemilik memiliki semua izin pengelola, ditambah izin untuk
mengubah metadata grup, menghapus grup, dan mengelola semua keanggotaan dan
peran keanggotaan.
Otorisasi namespace adalah mode otorisasi untuk grup identitas yang
memberikan akses akun layanan ke grup identitas yang disinkronkan dari sumber
identitas yang sama. Otorisasi namespace hanya dapat diberikan oleh
Cloud Search.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eThe Cloud Identity Groups API uses three authorization modes: Admin authorization, Non-admin authorization, and Namespace authorization.\u003c/p\u003e\n"],["\u003cp\u003eAdmin authorization provides full access to all Google Groups in a domain, granted to users with the \u003cem\u003egroups administrator privilege\u003c/em\u003e.\u003c/p\u003e\n"],["\u003cp\u003eNon-admin authorization allows access based on domain settings, group settings, and a user's membership roles within a group.\u003c/p\u003e\n"],["\u003cp\u003eNamespace authorization, only granted by Cloud Search, gives service accounts access to identity groups from the same identity source.\u003c/p\u003e\n"],["\u003cp\u003eNon-admin authorization role permissions vary between non-members, members, managers and owners, with each one receiving progressively more permissions than the previous.\u003c/p\u003e\n"]]],[],null,["# Authentication and authorization\n================================\n\nMost Google Cloud APIs grant permissions to users, groups, or service\naccounts based on their\n[IAM roles](https://cloud.google.com/iam/docs/understanding-roles). However,\nthe Cloud Identity Groups API grants permissions based on these three\nauthorization modes:\n\n- Admin authorization\n- Non-admin authorization\n- Namespace authorization\n\nThis guide explains each of these authorization modes.\n\nAdmin authorization\n-------------------\n\nThe *Admin authorization* mode grants a user full access to all Google Groups in\na domain. Any user who has the\n[*groups administrator privilege*](https://support.google.com/a/answer/1219251)\nhas Admin authorization. Only the\n[super administrator](https://support.google.com/a/answer/2405986) for the\ndomain can grant a user the groups administrator privilege.\n\nFor more information on granting groups administrator privilege, refer to\n[Assign administrator roles to a user](https://support.google.com/a/answer/172176).\n\nNon-admin authorization\n-----------------------\n\n*Non-admin authorization* is an authorization mode for Google Groups that\ngrants non-administrator users access to Google Groups based on the domain\nsettings, group's settings and, in the case of permissions on an individual\ngroup, their [membership roles](/identity/docs/groups) in that groups.\n\nBy default, all users are able to create groups in that domain. However,\ndomain administrators can modify the domain settings for Google Groups using the\nAdmin Console. For information on modifying domain settings, refer to\n[Set Groups for Business sharing options](https://support.google.com/a/answer/167097).\n\nThe owners are able to set the permissions for each membership role for a group.\nDefault settings are as follows:\n\n- Non-members can see the group and its details when calling read-only\n `GroupsService` APIs. They can also see memberships and their details when\n calling read-only `MembershipsService` APIs.\n\n- Members have the same permissions as non-members.\n\n- Managers have all the permissions of members, plus the permission to\n manage memberships and membership roles for non-owner members.\n\n- Owners have all the permissions of managers, plus the permissions to\n modify the group's metadata, delete a group, and manage all memberships and\n membership roles.\n\nTo modify group settings,\n[Create a group and choose group settings](https://support.google.com/groups/answer/2464926).\n\nNamespace authorization\n-----------------------\n\n*Namespace authorization* is an authorization mode for identity groups that\ngrants service accounts access to identity groups synced from the same identity\nsource. Namespace authorization can only be granted by\n[Cloud Search](https://developers.google.com/cloud-search)."]]
