Groups API overview

The Cloud Identity Groups API allows you to create and manage different types of groups, each of which supports different features, as well as their memberships.

Group types

A group is a collection of entities, where each entity can be either another group or a user. The Cloud Identity Groups API supports the following group types:

Google Groups
Google Groups have an email address and are frequently used as mailing lists. Google Groups can also be used across many Google products. For example. you can share a Google Doc with a group, invite a group to a Google Calendar event, or use a group for access management in IAM. A Google Group is the default group type.
Dynamic groups

Dynamic groups are Google Groups whose memberships are automatically managed using a membership query or a query on employee attributes, such as job role or building location. For example, a membership query might be "all users whose job role is Technical Writer in my organization."

Security groups

A security group is similar to a Google Group, but is used specifically for controlling access to organizational resources. A security group is created by updating a Google Group to a security group.

Locked groups

A locked group is a Google Group that administrators have locked to prevent it from getting out of synchronization with an external source, such as an identity provider. Administrators can also lock a Google Group to increase security for sensitive groups. When you lock a Google Group, edits to core attributes and memberships are restricted to a subset of administrators.

While standard group owners, managers, and members can still update settings like message moderation or posting permissions, modifications to the following attributes are limited to authorized administrators. Authorized administrators are typically those with specific roles or conditions like Groups Admin or Groups Editor with a condition that includes locked groups.

POSIX groups (Deprecated)

A POSIX group is a Google Group that is used to manage group membership in LDAP environments. A POSIX group is created by updating a Google Group with POSIX data. The POSIX group data includes a group name and group ID (GID).

POSIX groups are integrated with Google Cloud and are used by VMs in your organization that have OS Login enabled.

Identity-mapped groups

An identity-mapped group is a group containing users and groups synced from a non-Google identity source, such as Active Directory. Identity-mapped groups allow Google Cloud Search to recognize users and groups, and their permissions to searched documents, stored in an external identity source. For example, you might have a user example_user_org@your_domain.com who has certain permissions to documents. This user can be synced to example_user@your_domain.com so that Google Cloud Search recognizes their same permissions to the same documents.

Cloud Identity Groups API group creation requests are permitted only from service accounts.

To sync identity-mapped groups in Google Cloud Search, you must create an identity connector. If you are using Java, you can create an identity connector using the Google Cloud Search Java SDK. If you want to use a REST API, you can use the Cloud Identity Groups API. For further information on identity connectors, refer to Sync different identity systems in the Cloud Search documentation.

Group properties

Each group, regardless of type, has the following properties:

Label
The label identifies the type of group:
  • Google Groups: cloudidentity.googleapis.com/groups.discussion_forum
  • Dynamic groups: cloudidentity.googleapis.com/groups.dynamic
  • Security groups: cloudidentity.googleapis.com/groups.security (this label is in addition to cloudidentity.googleapis.com/groups.discussion_forum, because security groups are based on Google Groups)
  • POSIX groups: cloudidentity.googleapis.com/groups.posix (this label is in addition to cloudidentity.googleapis.com/groups.discussion_forum, because POSIX groups are based on Google Groups)
  • Identity-mapped groups: system/groups/external
Entity key

An entity key is a human-readable unique identifier for the group:

  • Google Groups, dynamic groups, and security groups: the email address of the group
  • Identity-mapped groups: a string qualified with a namespace. The namespace is established when you create an identity source in Google Cloud Search. For further information on identity sources, refer to Sync different identity systems in the Cloud Search documentation.
Parent

A parent is the resource to which the group belongs. For Google Groups, dynamic groups, and security groups, the parent is the customer who owns the domain. For an identity-mapped group, the parent is the identity source from which the group is synced.

Display name

The display name is the name of the group as it appears in Google products.

Memberships and membership properties

An entity that belongs to a group is referred to as a member and its relationship with that group is referred to as a membership. Entities can be users, groups, or service accounts. A membership has the following properties:

Preferred member key
A preferred member key is a human-readable unique identifier for the member. For a Google Group or an individual user, the preferred member key is the email address of the group or user. For an identity-mapped group, the preferred member key is a string qualified with a namespace.
Membership roles

Membership roles represent the permissions that the member has in the group. The supported roles are as follows:

  • MEMBER, which has no special permissions. Every membership must have at least the MEMBER membership role.

  • OWNER, which has broad permissions, such as managing other OWNERs or deleting the group.

  • MANAGER, which has fewer permissions than an OWNER, but more than a MEMBER, such as managing other MANAGERs.

The permissions that a specific membership role has in a group can be customized in the Google Groups web interface or in the Google Admin console. For more information, see Set who can view, post & moderate.

You can import users and groups that aren't already in Cloud Identity as an external identity source. You must first create an identity source for your organization, then import user and group information into Cloud Identity.

Next steps

Here are a few next steps you might take: