Groups API overview

The Cloud Identity Groups API allows you to create and manage different types of groups, each of which supports different features, as well as their memberships.

Group types

A group is a collection of entities, where each entity can be either another group or a user. The Cloud Identity Groups API supports the following group types:

Google Groups

Google Groups have an email address and are frequently used as mailing lists. Google Groups can also be used across many Google products. For example. you can share a Google Doc with a group, invite a group to a Google Calendar event, or use a group for access management in IAM. A Google Group is the default group type.

Dynamic groups

Dynamic groups are Google Groups whose memberships are automatically managed using a membership query or a query on employee attributes, such as job role or building location. For example, a membership query might be "all users whose job role is Technical Writer in my organization."

Security groups

A security group is similar to a Google Group, but is used specifically for controlling access to organizational resources. A security group is created by updating a Google Group to a security group.

Identity-mapped groups

An identity-mapped group is a group containing users and groups synced from a non-Google identity source, such as Active Directory. Identity-mapped groups allow Google Cloud Search to recognize users and groups, and their permissions to searched documents, stored in an external identity source. For example, you might have a user example_user_org@your_domain.com who has certain permissions to documents. This user can be synced to example_user@your_domain.com so that Google Cloud Search recognizes their same permissions to the same documents.

To sync identity-mapped groups in Google Cloud Search, you must create an identity connector. If you are using Java, you can create an identity connector using the Google Cloud Search Java SDK. If you want to use a REST API, you can use the Cloud Identity Groups API. For further information on identity connectors, refer to Sync different identity systems in the Cloud Search documentation.

Group properties

Each group, regardless of type, has the following properties:

Label
The label identifies the type of group:
  • Google Groups: cloudidentity.googleapis.com/groups.discussion_forum
  • Dynamic groups: cloudidentity.googleapis.com/groups.dynamic
  • Security groups: cloudidentity.googleapis.com/groups.security (this label is in addition to cloudidentity.googleapis.com/groups.discussion_forum, because security groups are based on Google Groups)
  • Identity-mapped groups: system/groups/external
Entity key

An entity key is a human-readable unique identifier for the group:

  • Google Groups, dynamic groups, and security groups: the email address of the group
  • Identity-mapped groups: a string qualified with a namespace. The namespace is established when you create an identity source in Google Cloud Search. For further information on identity sources, refer to Sync different identity systems in the Cloud Search documentation.
Parent

A parent is the resource to which the group belongs. For Google Groups, dynamic groups, and security groups, the parent is the customer who owns the domain. For an identity-mapped group, the parent is the identity source from which the group is synced.

Display name

The display name is the name of the group as it appears in Google products.

Memberships and membership properties

An entity that belongs to a group is referred to as a member and its relationship with that group is referred to as a membership. Entities can be users, groups, or service accounts. A membership has the following properties:

Preferred member key
A preferred member key is a human-readable unique identifier for the member. For a Google Group or an individual user, the preferred member key is the email address of the group or user. For an identity-mapped group, the preferred member key is a string qualified with a namespace.
Membership roles

Membership roles represent the permissions that the member has in the group. The supported roles are as follows:

  • MEMBER, which has no special permissions. Every membership must have at least the MEMBER membership role.

  • OWNER, which has broad permissions, such as managing other OWNERs or deleting the group.

  • MANAGER, which has fewer permissions than an OWNER, but more than a MEMBER, such as managing other MANAGERs.

The permissions that a specific membership role has in a group can be customized in the Google Groups web interface or in the Google Admin console. For more information, see Set who can view, post & moderate.

You can import users and groups that aren't already in Cloud Identity as an external identity source. You must first create an identity source for your organization, then import user and group information into Cloud Identity.

Next steps

Here are a few next steps you might take: