Method: groups.memberships.checkTransitiveMembership

Check a potential member for membership in a group.

Note: This feature is only available to Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education; and Cloud Identity Premium accounts. If the account of the member is not one of these, a 403 (PERMISSION_DENIED) HTTP status code will be returned.

A member has membership to a group as long as there is a single viewable transitive membership between the group and the member. The actor must have view permissions to at least one transitive membership between the member and group.

HTTP request


The URL uses gRPC Transcoding syntax.

Path parameters



Resource name of the group to check the transitive membership in.

Format: groups/{group}, where group is the unique id assigned to the Group to which the Membership belongs to.

Query parameters



Required. A CEL expression that MUST include member specification. This is a required field.

Certain groups are uniquely identified by both a 'member_key_id' and a 'member_key_namespace', which requires an additional query input: 'member_key_namespace'.

Example query: member_key_id == 'member_key_id_value'

Request body

The request body must be empty.

Response body

The response message for MembershipsService.CheckTransitiveMembership.

If successful, the response body contains data with the following structure:

JSON representation
  "hasMembership": boolean


Response does not include the possible roles of a member since the behavior of this rpc is not all-or-nothing unlike the other rpcs. So, it may not be possible to list all the roles definitively, due to possible lack of authorization in some of the paths.

Authorization scopes

Requires one of the following OAuth scopes:


For more information, see the Authentication Overview.