Cloud Identity Groups API를 사용하면 각각 서로 다른 기능과 멤버십을 지원하는 다양한 유형의 그룹을 만들고 관리할 수 있습니다.
그룹 유형
그룹은 항목의 모음으로, 각 항목은 또 다른 그룹이거나 사용자일 수 있습니다. Cloud Identity Groups API는 다음 그룹 유형을 지원합니다.
Google 그룹스
Google 그룹스에는 이메일 주소가 있으며 메일링 리스트로도 자주 사용됩니다. Google 그룹스는 다양한 Google 제품에서도 사용할 수 있습니다.
예를 들어 Google 문서를 그룹과 공유하거나, Google 캘린더 일정에 그룹을 초대하거나, IAM에서 액세스 관리를 위해 그룹을 사용할 수 있습니다.
Google 그룹스는 기본 그룹 유형입니다.
동적 그룹
동적 그룹은 멤버십 쿼리 또는 직원 속성(예: 직무 역할과 건물 위치)에 대한 쿼리를 사용하여 멤버십을 자동으로 관리하는 Google 그룹스입니다. 예를 들어 멤버십 쿼리는 '조직에서 테크니컬 라이터의 직무 역할을 수행하는 모든 사용자'일 수 있습니다.
보안 그룹
보안 그룹은 Google 그룹과 비슷하지만 조직 리소스에 대한 액세스를 제어하는 데 사용됩니다. 보안 그룹은 Google 그룹을 보안 그룹으로 업데이트하여 생성됩니다.
POSIX 그룹(지원 중단됨)
POSIX 그룹은 LDAP 환경에서 그룹 멤버십을 관리하는 데 사용되는 Google 그룹입니다. POSIX 그룹은 Google 그룹을 POSIX 데이터로 업데이트하여 생성됩니다. POSIX 그룹 데이터에는 그룹 이름과 그룹 ID(GID)가 포함됩니다.
POSIX 그룹은 Google Cloud와 통합되며 OS 로그인이 사용 설정된 조직의 VM에서 사용됩니다.
ID 매핑 그룹
ID 매핑 그룹은 Active Directory와 같은 Google 이외의 ID 소스에서 동기화된 사용자 및 그룹이 포함된 그룹입니다. ID 매핑 그룹을 사용하면 Google Cloud Search가 외부 ID 소스에 저장된 사용자 및 그룹, 검색 문서에 대한 권한을 인식할 수 있습니다. 예를 들어 문서에 대한 특정 권한이 있는 사용자 example_user_org@your_domain.com이 있을 수 있습니다. 이 사용자는 example_user@your_domain.com과 동기화하여 Google Cloud Search가 동일한 문서에 대해 동일한 권한을 인식하도록 할 수 있습니다.
Cloud Identity Groups API 그룹 생성 요청은 서비스 계정에서만 허용됩니다.
Google Cloud Search에서 ID 매핑 그룹을 동기화하려면 ID 커넥터를 만들어야 합니다. 자바를 사용하는 경우 Google Cloud Search 자바 SDK를 사용하여 ID 커넥터를 만들 수 있습니다. REST API를 사용하려면 Cloud Identity Groups API를 사용하면 됩니다. ID 커넥터에 대한 자세한 내용은 Cloud Search 문서의 서로 다른 ID 시스템 동기화를 참조하세요.
그룹 속성
유형과 상관없이 각 그룹에는 다음과 같은 속성이 있습니다.
라벨
라벨이 그룹의 유형을 식별합니다.
Google 그룹스:cloudidentity.googleapis.com/groups.discussion_forum
동적 그룹:cloudidentity.googleapis.com/groups.dynamic
보안 그룹:cloudidentity.googleapis.com/groups.security(보안 그룹이 Google 그룹스를 기반으로 하므로 이 라벨은 cloudidentity.googleapis.com/groups.discussion_forum에 추가됩니다.)
POSIX 그룹:cloudidentity.googleapis.com/groups.posix(POSIX 그룹은 Google 그룹스를 기반으로 하므로 이 라벨은 cloudidentity.googleapis.com/groups.discussion_forum에 추가됩니다.)
ID 매핑된 그룹:system/groups/external
항목 키
항목 키는 인간이 읽을 수 있는 그룹의 고유 식별자입니다.
Google 그룹스, 동적 그룹, 보안 그룹: 그룹의 이메일 주소
ID 매핑 그룹: 네임스페이스로 정규화된 문자열. 네임스페이스는 Google Cloud Search에서 ID 소스를 만들 때 설정됩니다.
ID 소스에 대한 자세한 내용은 Cloud Search 문서의 서로 다른 ID 시스템 동기화를 참조하세요.
상위 요소
상위 요소는 그룹이 속한 리소스입니다. Google 그룹스, 동적 그룹, 보안 그룹의 경우 상위 요소는 도메인을 소유한 고객입니다. ID 매핑 그룹의 경우 상위 요소는 그룹이 동기화되는 ID 소스입니다.
표시 이름
표시 이름은 Google 제품에 표시되는 그룹의 이름입니다.
멤버십 및 멤버십 속성
그룹에 속한 항목을 구성원이라 하며, 이 그룹과의 관계를 멤버십이라고 합니다. 항목은 사용자, 그룹, 서비스 계정일 수 있습니다. 멤버십에는 다음과 같은 속성이 있습니다.
선호 구성원 키
선호 구성원 키는 인간이 읽을 수 있는 고유한 식별자입니다.
Google 그룹 또는 개별 사용자의 경우 선호 구성원 키는 그룹 또는 사용자의 이메일 주소입니다. ID 매핑 그룹의 경우, 선호 구성원 키는 네임스페이스로 정규화된 문자열입니다.
멤버십 역할
멤버십 역할은 구성원이 그룹에서 갖고 있는 권한을 나타냅니다.
지원되는 역할은 다음과 같습니다.
MEMBER - 특수한 권한이 없음 모든 멤버십에는 최소 MEMBER 멤버십 역할이 있어야 합니다.
OWNER: 다른 OWNER를 관리하거나 그룹을 삭제하는 등의 광범위한 권한이 있습니다.
MANAGER는 OWNER보다 적지만 다른 MANAGER를 관리하는 등 MEMBER 이상의 권한이 있습니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2024-12-21(UTC)"],[[["\u003cp\u003eThe Cloud Identity Groups API enables the creation and management of various group types, including Google Groups, dynamic groups, security groups, locked groups, POSIX groups (deprecated), and identity-mapped groups, each with distinct functionalities.\u003c/p\u003e\n"],["\u003cp\u003eDynamic groups automatically manage memberships based on queries or employee attributes, and are available to certain Google Workspace accounts with a limit of 500 per customer.\u003c/p\u003e\n"],["\u003cp\u003eSecurity groups are specialized Google Groups used to control access to organizational resources and, once updated to a security group, cannot be reverted back to a standard Google Group.\u003c/p\u003e\n"],["\u003cp\u003eLocked groups are Google Groups that administrators restrict to prevent synchronization issues or to enhance security, limiting modifications to core attributes and memberships to authorized administrators only.\u003c/p\u003e\n"],["\u003cp\u003eIdentity-mapped groups sync users and groups from external identity sources to allow services like Google Cloud Search to recognize permissions, and can only be managed through the Groups API, not the Google Admin console.\u003c/p\u003e\n"]]],[],null,["# Groups API overview\n===================\n\nThe Cloud Identity Groups API allows you to create and manage different types\nof groups, each of which supports different features, as well as their\nmemberships.\n| **Note:** The Cloud Identity Groups API only works with [Google Groups for Business](https://support.google.com/a/answer/33329). If you want to create and manage non-business Google Groups, you can use the [Google Groups web interface](https://groups.google.com).\n\nGroup types\n-----------\n\nA *group* is a collection of *entities*, where each entity can be either another\ngroup or a user. The Cloud Identity Groups API supports the following group types:\n\n*Google Groups*\n: Google Groups have an email address and are frequently used\n as mailing lists. Google Groups can also be used across many Google products.\n For example. you can share a Google Doc with a group, invite a group to a Google\n Calendar event, or use a group for access management in IAM.\n A Google Group is the default group type.\n\n*Dynamic groups*\n\n: Dynamic groups are Google Groups whose memberships are automatically managed\n using a membership query or a query on employee attributes, such as job role or\n building location. For example, a membership query might be \"all users whose job\n role is Technical Writer in my organization.\"\n\n:\n | **Note:** Dynamic groups are only available to Google Workspace Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity premium accounts. You can create up to 500 dynamic groups per customer. This limit can be increased on a case-by-case basis---contact [Google Workspace Support](https://support.google.com/a/answer/1047213) with your specific use case to request an increase.\n\n*Security groups*\n\n: A security group is similar to a Google Group, but is used specifically for\n controlling access to organizational resources. A security group is created by\n updating a Google Group to a security group.\n\n | **Warning:** A security group cannot be changed back to a Google Group.\n\n*Locked groups*\n\n: A [locked](https://support.google.com/a?p=locked-groups) group is a Google\n Group that administrators have locked to prevent it from getting out of\n synchronization with an external source, such as an identity provider.\n Administrators can also lock a Google Group to increase security for\n sensitive groups. When you lock a Google Group, edits to core attributes and\n memberships are restricted to a subset of administrators.\n\n While standard group owners, managers, and members can still update settings\n like message moderation or posting permissions, modifications to the\n following attributes are limited to authorized administrators. Authorized\n administrators are typically those with specific roles or conditions like\n `Groups Admin` or `Groups Editor` with a condition that includes locked\n groups.\n\n*POSIX groups* (Deprecated)\n:\n | **Caution:** POSIX groups are [deprecated](/identity/docs/deprecations). As of September 26, 2024, you can no longer create new POSIX groups. For more information, see [POSIX groups deprecation](/identity/docs/deprecations/posix-groups).\n\n: A POSIX group is a Google Group that is used to manage\n group membership in LDAP environments. A POSIX group is created by\n updating a Google Group with POSIX data. The POSIX group data includes a group\n name and group ID (GID).\n\n POSIX groups are integrated with Google Cloud and are used by VMs in your\n organization that have OS Login enabled.\n:\n | **Note:** You must use the beta version of the Cloud Identity Groups API to create and manage POSIX groups.\n\n*Identity-mapped groups*\n\n: An identity-mapped group is a group containing users and groups synced\n from a non-Google identity source, such as Active Directory. Identity-mapped\n groups allow [Google Cloud Search](https://developers.google.com/cloud-search)\n to recognize users and groups, and their permissions to searched documents,\n stored in an external identity source. For example, you\n might have a user `example_user_org@your_domain.com` who has certain\n permissions to documents. This user can be synced to `example_user@your_domain.com` so\n that Google Cloud Search recognizes their same permissions to the same\n documents.\n\nCloud Identity Groups API group creation requests are permitted only from service accounts.\n\n: To sync identity-mapped groups in Google Cloud Search, you must create an identity\n connector. If you are using Java, you can create an identity connector using the\n Google Cloud Search Java SDK. If you want to use a REST API, you can use the\n Cloud Identity Groups API. For further information on identity connectors, refer to\n [Sync different identity systems](https://developers.google.com/cloud-search/docs/guides/identity-mapping)\n in the Cloud Search documentation.\n\n| **Note:** Identity-mapped groups can only be created and accessed through the Groups API. For example, you cannot view identity groups in the Google Admin console.\n\nGroup properties\n----------------\n\nEach group, regardless of type, has the following properties:\n\n*Label*\n: The label identifies the type of group:\n\n - **Google Groups:** `cloudidentity.googleapis.com/groups.discussion_forum`\n - **Dynamic groups:** `cloudidentity.googleapis.com/groups.dynamic`\n - **Security groups:** `cloudidentity.googleapis.com/groups.security` (this label is in addition to `cloudidentity.googleapis.com/groups.discussion_forum`, because security groups are based on Google Groups)\n - **Locked groups:** `cloudidentity.googleapis.com/groups.locked` (this label is in addition to `cloudidentity.googleapis.com/groups.discussion_forum`, because locked groups are based on Google Groups)\n - **POSIX groups:** `cloudidentity.googleapis.com/groups.posix` (this label is in addition to `cloudidentity.googleapis.com/groups.discussion_forum`, because POSIX groups are based on Google Groups)\n - **Identity-mapped groups:** `system/groups/external`\n\n*Entity key*\n\n: An entity key is a human-readable unique identifier for the\n group:\n\n - **Google Groups, dynamic groups, and security groups:** the email address of the group\n - **Identity-mapped groups:** a string qualified with a namespace. The namespace is established when you create an identity source in Google Cloud Search. For further information on identity sources, refer to [Sync different identity systems](https://developers.google.com/cloud-search/docs/guides/identity-mapping) in the Cloud Search documentation.\n\n*Parent*\n\n: A parent is the resource to which the group belongs. For Google\n Groups, dynamic groups, and security groups, the parent is the customer who\n owns the domain. For an identity-mapped group, the parent is the identity\n source from which the group is synced.\n\n*Display name*\n\n: The display name is the name of the group as it appears in\n Google products.\n\nMemberships and membership properties\n-------------------------------------\n\nAn entity that belongs to a group is referred to as a *member* and its\nrelationship with that group is referred to as a *membership*. Entities can be\nusers, groups, or service accounts. A membership\nhas the following properties:\n\n*Preferred member key*\n: A preferred member key is a human-readable unique identifier for the member.\n For a Google Group or an individual user, the preferred member key is the email\n address of the group or user. For an identity-mapped group, the preferred member\n key is a string qualified with a namespace.\n\n*Membership roles*\n\n: Membership roles represent the permissions that the member has in the group.\n The supported roles are as follows:\n\n - `MEMBER`, which has no special permissions. Every membership must have\n at least the `MEMBER` membership role.\n\n - `OWNER`, which has broad permissions, such as managing other `OWNER`s or\n deleting the group.\n\n - `MANAGER`, which has fewer permissions than an `OWNER`, but\n more than a `MEMBER`, such as managing other `MANAGER`s.\n\nThe permissions that a specific membership role has in a group can be\ncustomized in the [Google Groups web interface](https://groups.google.com)\nor in the [Google Admin console](https://admin.google.com). For more\ninformation, see\n[Set who can view, post \\& moderate](https://support.google.com/groups/answer/2464975).\n\nYou can import users and groups that aren't already in Cloud Identity\nas an external identity source. You must first create an\n[identity source](/identity/docs/overview)\nfor your organization, then import user and group information into\nCloud Identity.\n| **Note:** The Google Groups web interface supports other membership roles such as `BANNED`. These memberships will not appear and cannot be managed in Cloud Identity Groups API.\n\nNext steps\n----------\n\nHere are a few next steps you might take:\n\n- To set up the API, refer to [Setting up the Groups API](/identity/docs/how-to/setup).\n\n- To create and manage Google Groups, see the\n [Creating and searching for Google Groups](/identity/docs/how-to/create-google-groups).\n\n- To learn more about dynamic groups, see the\n [Dynamic groups overview](/identity/docs/concepts/overview-dynamic-groups).\n\n- To update a Google Group to a security group, see\n [Update a Google Group to a security group](/identity/docs/how-to/update-group-to-security-group).\n\n- To create and manage identity-mapped groups, see\n [Creating and searching for identity-mapped groups](/identity/docs/how-to/create-identity-groups)."]]