借助 Cloud Identity Groups API,您可以创建和管理不同类型的群组,每个群组均支持不同的功能及其成员资格。
群组类型
群组是实体的集合,其中每个实体可以是另一个群组,也可以是用户。Cloud Identity Groups API 支持以下群组类型:
Google 群组
Google 群组拥有电子邮件地址,通常用作邮寄名单。Google 群组也可以用于许多 Google 产品。例如:您可以与群组共享 Google 文档,邀请群组参加 Google 日历活动,或者使用群组在 IAM 中进行访问权限管理。Google 群组是默认的群组类型。
动态群组
动态群组是一种 Google 群组,其成员资格使用成员资格查询或员工特性(如职位角色或建筑物位置)查询自动管理。例如,成员资格查询可以是“我的组织中职位是技术文档工程师的所有用户”。
安全组
安全群组与 Google 群组类似,但专门用于控制组织资源的访问权限。您可以通过将 Google 群组更新为安全群组来创建安全群组。
锁定的群组
锁定的群组是指管理员已锁定的 Google 群组,以防止其与外部来源(例如身份提供方)失去同步。管理员还可以锁定 Google 群组,以提高敏感群组的安全性。锁定 Google 群组后,只有部分管理员可以修改核心属性和成员资格。
虽然标准群组的所有者、管理员和成员仍可更新消息审核或发帖权限等设置,但对以下属性的修改仅限于获得授权的管理员。获得授权的管理员通常是具有特定角色或条件的管理员,例如具有 Groups Admin 或 Groups Editor 角色且包含锁定群组的管理员。
POSIX 群组(已弃用)
POSIX 群组是一个 Google 群组,用于管理 LDAP 环境中的群组成员资格。您可以通过使用 POSIX 数据更新 Google 群组来创建 POSIX 群组。POSIX 群组数据包括群组名称和群组 ID (GID)。
POSIX 群组与 Google Cloud 集成,供您的组织中启用了 OS Login 的虚拟机使用。
身份映射群组
身份映射群组包含从非 Google 身份源(例如 Active Directory)同步的用户和群组。通过身份映射群组,Google Cloud Search 可以识别存储在外部身份源中的用户和群组以及它们对搜索到的文档的权限。例如,您的用户 example_user_org@your_domain.com 具有文档的特定权限。此用户可同步到 example_user@your_domain.com,以便 Google Cloud Search 识别他们对相同文档的相同权限。
Cloud Identity Groups API 仅允许通过服务账号发出群组创建请求。
要在 Google Cloud Search 中同步身份映射群组,您必须创建一个身份连接器。如果使用的是 Java,则可以使用 Google Cloud Search Java SDK 创建身份连接器。如果要使用 REST API,则可以使用 Cloud Identity Groups API。如需详细了解身份连接器,请参阅 Cloud Search 文档中的同步不同的身份系统。
群组属性
无论属于何种类型,每个群组都有以下属性:
标签
标签用于标识群组类型:
Google 群组:
cloudidentity.googleapis.com/groups.discussion_forum
动态群组:cloudidentity.googleapis.com/groups.dynamic
安全群组: cloudidentity.googleapis.com/groups.security(此标签是对 cloudidentity.googleapis.com/groups.discussion_forum 的补充,因为安全群组基于 Google 群组)
已锁定群组: cloudidentity.googleapis.com/groups.locked(此标签是对 cloudidentity.googleapis.com/groups.discussion_forum 的补充,因为已锁定群组基于 Google 群组)
POSIX 群组: cloudidentity.googleapis.com/groups.posix(此标签是对 cloudidentity.googleapis.com/groups.discussion_forum 的补充,因为 POSIX 群组基于 Google 群组)
身份映射群组:system/groups/external
实体键
实体键是群组的人类可读的唯一标识符:
Google 群组、动态群组和安全群组:群组的电子邮件地址
身份映射群组:使用命名空间限定的字符串。当您在 Google Cloud Search 中创建身份源时,系统将建立命名空间。如需详细了解身份源,请参阅 Cloud Search 文档中的同步不同的身份系统。
父级
父级是群组所属的资源。对于 Google 群组、动态群组和安全群组,父级是拥有网域的客户。对于身份映射群组,父级是群组同步的身份源。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThe Cloud Identity Groups API enables the creation and management of various group types, including Google Groups, dynamic groups, security groups, locked groups, POSIX groups (deprecated), and identity-mapped groups, each with distinct functionalities.\u003c/p\u003e\n"],["\u003cp\u003eDynamic groups automatically manage memberships based on queries or employee attributes, and are available to certain Google Workspace accounts with a limit of 500 per customer.\u003c/p\u003e\n"],["\u003cp\u003eSecurity groups are specialized Google Groups used to control access to organizational resources and, once updated to a security group, cannot be reverted back to a standard Google Group.\u003c/p\u003e\n"],["\u003cp\u003eLocked groups are Google Groups that administrators restrict to prevent synchronization issues or to enhance security, limiting modifications to core attributes and memberships to authorized administrators only.\u003c/p\u003e\n"],["\u003cp\u003eIdentity-mapped groups sync users and groups from external identity sources to allow services like Google Cloud Search to recognize permissions, and can only be managed through the Groups API, not the Google Admin console.\u003c/p\u003e\n"]]],[],null,["# Groups API overview\n===================\n\nThe Cloud Identity Groups API allows you to create and manage different types\nof groups, each of which supports different features, as well as their\nmemberships.\n| **Note:** The Cloud Identity Groups API only works with [Google Groups for Business](https://support.google.com/a/answer/33329). If you want to create and manage non-business Google Groups, you can use the [Google Groups web interface](https://groups.google.com).\n\nGroup types\n-----------\n\nA *group* is a collection of *entities*, where each entity can be either another\ngroup or a user. The Cloud Identity Groups API supports the following group types:\n\n*Google Groups*\n: Google Groups have an email address and are frequently used\n as mailing lists. Google Groups can also be used across many Google products.\n For example. you can share a Google Doc with a group, invite a group to a Google\n Calendar event, or use a group for access management in IAM.\n A Google Group is the default group type.\n\n*Dynamic groups*\n\n: Dynamic groups are Google Groups whose memberships are automatically managed\n using a membership query or a query on employee attributes, such as job role or\n building location. For example, a membership query might be \"all users whose job\n role is Technical Writer in my organization.\"\n\n:\n | **Note:** Dynamic groups are only available to Google Workspace Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity premium accounts. You can create up to 500 dynamic groups per customer. This limit can be increased on a case-by-case basis---contact [Google Workspace Support](https://support.google.com/a/answer/1047213) with your specific use case to request an increase.\n\n*Security groups*\n\n: A security group is similar to a Google Group, but is used specifically for\n controlling access to organizational resources. A security group is created by\n updating a Google Group to a security group.\n\n | **Warning:** A security group cannot be changed back to a Google Group.\n\n*Locked groups*\n\n: A [locked](https://support.google.com/a?p=locked-groups) group is a Google\n Group that administrators have locked to prevent it from getting out of\n synchronization with an external source, such as an identity provider.\n Administrators can also lock a Google Group to increase security for\n sensitive groups. When you lock a Google Group, edits to core attributes and\n memberships are restricted to a subset of administrators.\n\n While standard group owners, managers, and members can still update settings\n like message moderation or posting permissions, modifications to the\n following attributes are limited to authorized administrators. Authorized\n administrators are typically those with specific roles or conditions like\n `Groups Admin` or `Groups Editor` with a condition that includes locked\n groups.\n\n*POSIX groups* (Deprecated)\n:\n | **Caution:** POSIX groups are [deprecated](/identity/docs/deprecations). As of September 26, 2024, you can no longer create new POSIX groups. For more information, see [POSIX groups deprecation](/identity/docs/deprecations/posix-groups).\n\n: A POSIX group is a Google Group that is used to manage\n group membership in LDAP environments. A POSIX group is created by\n updating a Google Group with POSIX data. The POSIX group data includes a group\n name and group ID (GID).\n\n POSIX groups are integrated with Google Cloud and are used by VMs in your\n organization that have OS Login enabled.\n:\n | **Note:** You must use the beta version of the Cloud Identity Groups API to create and manage POSIX groups.\n\n*Identity-mapped groups*\n\n: An identity-mapped group is a group containing users and groups synced\n from a non-Google identity source, such as Active Directory. Identity-mapped\n groups allow [Google Cloud Search](https://developers.google.com/cloud-search)\n to recognize users and groups, and their permissions to searched documents,\n stored in an external identity source. For example, you\n might have a user `example_user_org@your_domain.com` who has certain\n permissions to documents. This user can be synced to `example_user@your_domain.com` so\n that Google Cloud Search recognizes their same permissions to the same\n documents.\n\nCloud Identity Groups API group creation requests are permitted only from service accounts.\n\n: To sync identity-mapped groups in Google Cloud Search, you must create an identity\n connector. If you are using Java, you can create an identity connector using the\n Google Cloud Search Java SDK. If you want to use a REST API, you can use the\n Cloud Identity Groups API. For further information on identity connectors, refer to\n [Sync different identity systems](https://developers.google.com/cloud-search/docs/guides/identity-mapping)\n in the Cloud Search documentation.\n\n| **Note:** Identity-mapped groups can only be created and accessed through the Groups API. For example, you cannot view identity groups in the Google Admin console.\n\nGroup properties\n----------------\n\nEach group, regardless of type, has the following properties:\n\n*Label*\n: The label identifies the type of group:\n\n - **Google Groups:** `cloudidentity.googleapis.com/groups.discussion_forum`\n - **Dynamic groups:** `cloudidentity.googleapis.com/groups.dynamic`\n - **Security groups:** `cloudidentity.googleapis.com/groups.security` (this label is in addition to `cloudidentity.googleapis.com/groups.discussion_forum`, because security groups are based on Google Groups)\n - **Locked groups:** `cloudidentity.googleapis.com/groups.locked` (this label is in addition to `cloudidentity.googleapis.com/groups.discussion_forum`, because locked groups are based on Google Groups)\n - **POSIX groups:** `cloudidentity.googleapis.com/groups.posix` (this label is in addition to `cloudidentity.googleapis.com/groups.discussion_forum`, because POSIX groups are based on Google Groups)\n - **Identity-mapped groups:** `system/groups/external`\n\n*Entity key*\n\n: An entity key is a human-readable unique identifier for the\n group:\n\n - **Google Groups, dynamic groups, and security groups:** the email address of the group\n - **Identity-mapped groups:** a string qualified with a namespace. The namespace is established when you create an identity source in Google Cloud Search. For further information on identity sources, refer to [Sync different identity systems](https://developers.google.com/cloud-search/docs/guides/identity-mapping) in the Cloud Search documentation.\n\n*Parent*\n\n: A parent is the resource to which the group belongs. For Google\n Groups, dynamic groups, and security groups, the parent is the customer who\n owns the domain. For an identity-mapped group, the parent is the identity\n source from which the group is synced.\n\n*Display name*\n\n: The display name is the name of the group as it appears in\n Google products.\n\nMemberships and membership properties\n-------------------------------------\n\nAn entity that belongs to a group is referred to as a *member* and its\nrelationship with that group is referred to as a *membership*. Entities can be\nusers, groups, or service accounts. A membership\nhas the following properties:\n\n*Preferred member key*\n: A preferred member key is a human-readable unique identifier for the member.\n For a Google Group or an individual user, the preferred member key is the email\n address of the group or user. For an identity-mapped group, the preferred member\n key is a string qualified with a namespace.\n\n*Membership roles*\n\n: Membership roles represent the permissions that the member has in the group.\n The supported roles are as follows:\n\n - `MEMBER`, which has no special permissions. Every membership must have\n at least the `MEMBER` membership role.\n\n - `OWNER`, which has broad permissions, such as managing other `OWNER`s or\n deleting the group.\n\n - `MANAGER`, which has fewer permissions than an `OWNER`, but\n more than a `MEMBER`, such as managing other `MANAGER`s.\n\nThe permissions that a specific membership role has in a group can be\ncustomized in the [Google Groups web interface](https://groups.google.com)\nor in the [Google Admin console](https://admin.google.com). For more\ninformation, see\n[Set who can view, post \\& moderate](https://support.google.com/groups/answer/2464975).\n\nYou can import users and groups that aren't already in Cloud Identity\nas an external identity source. You must first create an\n[identity source](/identity/docs/overview)\nfor your organization, then import user and group information into\nCloud Identity.\n| **Note:** The Google Groups web interface supports other membership roles such as `BANNED`. These memberships will not appear and cannot be managed in Cloud Identity Groups API.\n\nNext steps\n----------\n\nHere are a few next steps you might take:\n\n- To set up the API, refer to [Setting up the Groups API](/identity/docs/how-to/setup).\n\n- To create and manage Google Groups, see the\n [Creating and searching for Google Groups](/identity/docs/how-to/create-google-groups).\n\n- To learn more about dynamic groups, see the\n [Dynamic groups overview](/identity/docs/concepts/overview-dynamic-groups).\n\n- To update a Google Group to a security group, see\n [Update a Google Group to a security group](/identity/docs/how-to/update-group-to-security-group).\n\n- To create and manage identity-mapped groups, see\n [Creating and searching for identity-mapped groups](/identity/docs/how-to/create-identity-groups)."]]