Tag Archives: Groups

Consolidated Google Groups audit logs now available in G Suite and GCP

What’s changing 

Consolidated Google Groups audit logs are now available in the G Suite AdminSDK Reports API and GCP Cloud Audit Logs. Specifically you’ll notice:

  • Changes in the G Suite AdminSDK Reports API: We’re introducing a new consolidated log named groups_enterprise, which includes changes to groups and group memberships across all products and APIs. These were previously split across the groups and admin audit logs. 
  • Changes in GCP Cloud Audit Logging: We’re adding Google Groups information to Cloud Audit Logs (CAL) in Stackdriver. See our Cloud Blog post for more details on how this could help GCP customers. Note that this will not change visibility of these logs in the G Suite Admin console - it just adds them to Cloud Audit Logs (CAL) in Stackdriver as well. 


Who’s impacted 

G Suite and GCP Admins only

Why you’d use it 

These changes will help improve the security and usability of Groups as an IAM tool by streamlining administration, transparency, and access monitoring.

How to get started 


  • Admins: 
    • Changes in the G Suite AdminSDK Reports API: Get started with the AdminSDK Reports API
    • Changes in GCP Cloud Audit Logging: This is an opt-in feature that can be enabled at G Suite Admin console > Company profile > Legal & Compliance > Sharing options. 
  • End users: No action needed. 


Additional details 

Changes in the G Suite AdminSDK Reports API 
Changes to groups have historically been logged in either the groups or admin audit logs. Changes made in the Google Groups product are logged in the groups log while changes made through admin tools like the Admin console, AdminSDK, and GCDS are logged in the admin log. As part of our efforts to streamline administration and increase transparency, we’re introducing a new consolidated log named groups_enterprise, which includes changes to groups and group memberships across all products and APIs. This new log is now available through the AdminSDK Reports API and will be available in the Admin console in the future.

Changes in GCP Cloud Audit Logging 
Google Groups are the recommended way to grant access to GCP resources when using IAM policies. GCP customers have told us that having group audit logs available in Google Cloud Audit Logs would help streamline security and access monitoring. With that in mind, we’re adding Google Groups information to Cloud Audit Logs (CAL) in Stackdriver. See our Cloud Blog post for more details on how this can help GCP customers.

Helpful links 

Cloud Blog: Integrated Google Groups Audit Transparency from G Suite to GCP Cloud Audit Logs 
Get started with the G Suite AdminSDK Reports API 

Availability 

Rollout details 


G Suite editions 
  • Google Groups are available to all G Suite editions. 

On/off by default? 
  • G Suite AdminSDK Reporting API for consolidate group events will be ON by default. 
  • GCP Cloud Audit Logging for groups will be OFF by default and can be enabled at the domain level.


Stay up to date with G Suite launches

An updated plan & resources for upcoming changes to Groups settings

What’s changing 

Based on your feedback following our previous announcement, Changes to Google Groups settings starting May 6, 2019, we’re making the following changes:


  • Additional improvements to the Groups Settings API to help you plan for and manage the changes (see more details below). 
  • “Post as the group” will remain a separate setting - it will not be merged as we previously stated. 
  • “New member posts are moderated” will remain an option for moderation - it will not be deprecated as we previously stated. 
  • “Take topics” will be merged into the content metadata settings


To help you plan for these changes, we’re also sharing a Google Sheet which can help identify what the new settings will be for a group. In addition, we’re changing the rollout schedule so the new settings will start to take effect in Scheduled Release domains on June 3, four weeks after Rapid Release domains.

Use our Help Center to see details of these changes and see how you can prepare for the update.

Who’s impacted 

Admins and end users

Why you’d use it 

We hope these resources will help you better understand and prepare for the changes to Groups settings.

How to get started 




Additional details 

Groups API improvements 
On March 25th, 2019, we’ll be updating the Groups Settings API. These updates align the API with the product changes we’re making (outlined in our previous announcement and this post) and mean it’s easier to use the API to prepare. API updates include:


  • All settings that are to-be merged will be exposed via the API. This means you can audit your current groups via API, and make changes to ensure new settings are inferred as you want them to be. 
  • New merged settings will be exposed via the API. This means you can query the new merged settings and ensure they are going to be inferred as expected. Note that It will be read-only (i.e. inferred value) until launch, at which point it will also support write. 
  • New bit for custom roles exposed. If you use custom roles, API queries may return incorrect values. The new bit will highlight if a group uses custom roles for one of the merged settings and so will help you identify groups that require manual review. 
  • New bit for collaborative inbox exposed. We will expose a new bit that represents whether collaborative inbox will be enabled for a group. If you expect your group to have collaborative inbox functionality (e.g. topic assignment), ensure that this bit is true. You may do this by enabling any of the collaborative inbox features. Note that it will be read-only (i.e. inferred value) until launch, at which point it will also support write. 
  • New bit for who can discover group exposed. We will expose a new bit that represents who the group will be visible to. This setting will replace show in group directory. Note that it will be read-only (i.e. inferred value) until launch, at which point it will also support write. 


See our Cloud blog post for more details on these API changes and how to use them.

“Post as the group” will not be merged into the content moderator setting 
Previously we stated that this setting would be merged. However, you told us that it was valuable and we should keep it separate, so we’re updating the plans and will not merge it.

“New member posts are moderated” will continue to be supported. 
The “New member posts are moderated” setting, exposed in the API as MODERATE_NEW_MEMBERS, will continue to be supported as a value for moderation.

“Take topics” will be merged with content metadata 
We previously suggested that “Take topics” would remain a standalone setting. However, this will now be merged as part of the content metadata settings.

New worksheet to help visualize changes
We’ve created this Google Sheet which will show you what the new settings will be for any group if you input the current settings. This can help you check the settings will be inferred as you want them.

Helpful links 




Availability 

Rollout details 


G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be ON by default.
Stay up to date with G Suite launches

Changes to Google Groups settings starting May 6, 2019

What’s changing 

In May 2019, we’ll make some changes to the settings in Google Groups. In response to your ongoing feedback, we are updating Groups’ settings to make it easier for you and your users to manage and configure groups. Specifically, we will remove settings and features that are rarely used, and combine settings that cover similar functionality. These changes will affect the groups.google.com interface and also the APIs used to manage groups.

Your existing groups may be affected by the upcoming settings changes. When the changes take effect, we’ll update the settings for existing groups. These updates may change how groups can be accessed and used.

Use this Help Center article to see details of these changes and see how you can prepare for the update.

The changes will start to roll out on May 6, and may take up to 15 days to reach all domains.

Who’s impacted 

Admins and end users

Why you’d take action 

Some users who are not group owners or group managers but who currently have access to specific group management features may lose that access. We recommend you audit groups in your organization and adjust the settings before May 6 to make sure these users don’t lose access.

When the new settings take effect:
  • Existing group settings will be updated to conform to the new controls available. 
  • Group owners will still be able to change the settings that apply to their group at any point. 
  • New groups will be subject to the same default controls that they are today. 


How to get started 


Additional details 

In the next few days, users will see an in-product message about the upcoming changes when they use Groups. The message will direct them to the Help Center for an overview of the changes and change timeline.

Most groups will be affected in some way by these changes. You can use the Groups API to get a list of all groups and get a list of group owners in your organization, which might help you prepare for the changes.

Helpful links 


Availability 

Rollout details 
  • Rapid Release domains: Gradual rollout (up to 15 days for feature visibility) starting on May 6, 2019 
  • Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on May 6, 2019 G Suite editions Available to all G Suite editions On/off by default? This feature will be ON by default. 

Stay up to date with G Suite launches

Learn more about Google Groups with Contacts hovercards

Contacts hovercards provide lots of useful information about the people within your organization. We’ve heard from you that you’d like better visibility into Google Groups across G Suite, so we’re adding more information to these hovercards when the contact itself is a group.




When you mouse over the name of a group in Gmail, you’ll now be able to see essential information, like group members, as well as take some actions, such as:

  • Schedule an event with the group
  • Email the group
  • See more members
You can also select “More info,” which will take you to the Groups membership details page on groups.google.com. The group members will only appear on the hovercard if the user has permission to view them. This functionality will be added to other G Suite apps in the future.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Full rollout (1–3 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Configure your Google Groups settings for increased security

From creating team mailing lists to processing support tickets to hosting internal discussions, many organizations use Google Groups to connect and collaborate in the workplace. But as with any communication tool, it’s important that your settings deliver the right balance between sharing and security.

By default, Google Groups are set to private; there have been a small number of instances, however, where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings. That’s why it’s important to understand how you can tailor the privacy configurations of Google Groups to align with your organization’s policies. Details of how to do this are part of our comprehensive security best practices for G Suite, which we’ve discussed in previous blog posts.

Default protections against accidental misconfigurations
To help prevent data from being accidentally shared, by default Google Groups’ sharing settings are set to best protect privacy:

  • Viewing groups: By default, no one outside your domain can view or search groups in your domain.
  • Posting to groups: By default, no one outside your domain can post to your groups.
  • Joining groups: By default, no one outside your domain can become a group member.
  • Creating groups: By default, only those within your domain can create groups.

G Suite admins can adjust each of these default settings individually. They can review and update the sharing permissions for their domains from the Admin console, while end users can review and update Google Groups permissions in group settings. Admins can also manage groups using the Directory API, and group settings can be managed using the Groups Settings API.

Viewing groups: configuring settings at the domain level
Admins can control who can view groups at the domain level, under “access to groups.” There are two options:

  • Private, the default setting, means no one outside of your domain can access your groups, and your users and domain admins do not have the ability to create public groups.
  • Public on the Internet means users can create public groups, and individuals outside your domain can access content discussed in these groups.


You should carefully consider whether to change the access to groups from Private to Public on the Internet. If you give your users the ability to create public groups, you can always change the domain-level setting back to private. This will prevent anyone outside of your domain from accessing any of your groups, including any groups previously set to public by your users.

Viewing groups: configuring the default view for new groups
Even if you turn on the ability to create public groups, all new groups will be private by default and users will need to proactively change individual group settings to make them public. As an admin, you can change this default setting so that view access for new groups is limited to all members of your domain or a subset of group members.


We recommend you choose the setting that makes the most sense based on how your organization uses Google Groups. Remember, this is the default setting for new groups—group owners can still change settings at the group level (although if admins set “access to groups” to private, users won’t be able to allow anyone on the internet to view the group).

Posting to groups: configuring who can contact group members
By default, external users cannot post to groups. In some instances, however, you may want external individuals to be able to contact a group—for example, when handling incoming sales or support requests. This can be done without making the ability to view topics in a group public.

As an admin, you can allow posts from outside your domain to specific groups within the settings for that individual group (by selecting “Public” under Post). This setting applies regardless of whether group topics are set to public or private.


As an admin, you can also give group owners the ability to authorize external posts via the Admin console setting under “Member & email access.”


Joining groups: configuring group membership
By default, only users in the group’s domain can be group members. Admins, however, can add external members directly to groups, and they can also enable group owners to add external members—for example, if they need to communicate with a vendor organization. Admins can also to add external members regardless of the status of the setting.


Creating groups: configuring who can create new groups
As an admin, you can also decide who can create groups within your organization. By default, anyone in your domain can create groups.


If you allow users in your domain create public Google Groups and give anyone in your domain the ability to create groups, you’re trusting your users to manage their settings and use these groups appropriately. It’s worth carefully considering whether this configuration makes the most sense for your organization.

For more information on securing your Google Groups, visit our Help Center. You may also want to review our security best practices across G Suite.

More Information
Help Center: Google Groups security


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

8 swift steps G Suite admins can take to secure business data

(Cross-posted from The Keyword)

Security doesn’t have to be complicated. With G Suite, admins can manage and help protect their users with minimal effort because we've designed our tools to be intuitive—like Vault, which helps with eDiscovery and audit needs, and data loss prevention, which helps ensure that your “‘aha”’ moments stay yours. Here are some key security controls that you can deploy with just a few clicks to get more fine-grained control of your organization's security.

1. Enable Hangouts out-of-domain warnings
If your business allows employees to chat with external users on Hangouts, turn on a setting that will show warnings to your users if anyone outside of your domain tries to join a Hangout, and split existing group chats so external users can’t see previous internal conversations. This substantially reduces the risk of data leaks or falling prey to social engineering attacks. (Admin console > Apps > G Suite > Google Hangouts > Chat settings > Sharing options)


2. Disable email forwarding
Exercising this option will disable the automatic email forwarding feature for users, which in turn helps reduce the risk of data exfiltration in the event a user’s credentials are compromised. (Admin console > Apps > G Suite > Gmail > Advanced settings)



3. Enable early phishing detection
Enabling this option adds further checks on potentially suspicious emails prior to delivery. Early phishing detection utilizes a dedicated machine learning model that selectively delays messages to perform rigorous phishing analysis. Less than 0.05 percent of messages on average get delayed by a few minutes, so your users will still get their information fast. (Admin console > Apps > G Suite > Gmail > Advanced settings)


4. Examine OAuth-based access to third-party apps
OAuth apps whitelisting helps keep company data safe by letting you specifically select which third-party apps are allowed to access users’ G Suite data. Once an app is part of a whitelist, users can choose to grant authorized access to their G Suite apps data. This helps to prevent malicious apps from tricking people into accidentally granting access to corporate data. (Admin console > Security > G Suite API Permissions)


5. Check that unintended external reply warning for Gmail is turned on
Gmail can display unintended external reply warnings to users to help prevent data loss. You can enable this option to ensure that if your users try to respond to someone outside of your company domain, they’ll receive a quick warning to make sure they intended to send that email. Because Gmail has contextual intelligence, it knows if the recipient is an existing contact or someone your users interact with regularly, so it only displays relevant warnings. This option is on by default. (Admin console > Apps > G Suite > Gmail > Advanced settings)


6. Restrict external calendar
To reduce the incidence of data leaks, make sure that Google Calendar details aren’t shared outside your domain. Limiting sharing to “free” or “busy” information protects you from social engineering attacks that depend on gleaning information from meeting titles and attendees. (Admin console > Apps > G Suite > Calendar > Sharing settings)


7. Limit access to Google Groups
By setting default Google group access to private, you can limit external access to information channels that may contain confidential business information, like upcoming projects. (Admin console > Apps > G Suite > Groups for Business > Sharing settings)


8. Set Google+ access restrictions
Make the default sharing setting for Google+ restricted and disable discoverability of Google+ profiles outside your domain. Both of these actions can help you control access to critical business information. (Admin console > Apps > G Suite > Google+ > Advanced settings)





Every company has their own unique set of business requirements that need to work in rhythm with their security requirements. By evaluating and implementing some of these suggested security controls, you can make a marked difference in your company’s security posture—with just a few clicks. See this post for other security tips.


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

New in Google Vault: Full support for Google Drive, Team Drives, and Google Groups

Google Vault helps your organization meet its legal needs, by allowing you to manage your employees' G Suite data for eDiscovery and compliance purposes. Today, we’re launching additional, crucial functionality in Vault, including full support for Drive, newly launched Team Drives, and Google Groups.

Set retention policies for Google Drive, including Team Drives
Starting now, not only can G Suite admins search and export employee Drive files, they can also set retention policies to manage the lifecycle of files in My Drive and the just-launched Team Drives, regardless of whether they’re Google or non-Google files (as long as they’re owned by users in your domain).

Like with mail, the default rule will apply to all users in your domain. You can set an indefinite retention policy (such that files are never expunged), or you can choose to have files expunged at the end of a specific time period. This default rule can be applied to all files or only to files that have been deleted by users.

You can also set custom retention rules for specific organizational units (OUs) or for Team Drives. Like with mail, custom rules override the default rule and, if multiple custom rules apply to a file, the longest rule wins. Custom rules can be applied to all files or only to files that have been deleted by users.

Unlike with mail, you cannot target custom Drive retention rules with specific terms.


Place legal holds on Google Drive files
In addition to setting retention policies, you can now place legal holds on your employees' Google Drive and Team Drives files, whether they are Google files or non-Google files (as long as they are owned by users in your domain). Doing so will preserve all files that are owned by or shared with the user on hold, regardless of whether that user deletes those files. If a user on hold deletes a file, it will appear as deleted for him or her—but it will be available in Vault until the hold is removed. Remember that holds always take precedence over retention rules.

Note that both the retention policy and legal holds features are not yet available for Apps Script.

Export point-in-time Google Drive files
Vault now also allows you to export revisions of your employees’ Drive and Team Drive files from a specific point in time (this applies to Google Docs, Sheets, Slides, and Drawings files). This can be done by simply specifying the desired Version Date in the search form.

Note that this feature is not yet available for Google Forms, Apps Script, or any non-Google document types.


Use Vault for Google Groups
Finally, Vault now works with Groups, meaning you can search, export, and set retention policies and place legal holds on your employees’ Groups content. Groups can be used for email lists, forums, and shared or collaborative inboxes, and now you can apply the same retention and eDiscovery programs that you use in Gmail for content stored in Groups archives.


To learn more about how Vault's support for Drive, Team Drives, and Groups can help your organization meet its legal obligations and archiving needs, check out the Vault Help Center.

Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Editions:
Available to G Suite Business, Enterprise, and Education editions only

Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center: Google Vault
Help Center: Supported data types


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Integrated search now available in Gmail, Google Calendar, Groups, and Drive on the web

One common request we’ve heard from customers is for an integrated search experience for the content you care about, regardless of what app you’re in. Beginning this week, we’ll be rolling out an integrated search experience in Gmail, Google Calendar, Groups, and Drive on the web for G Suite Basic and G Suite Business customers to make finding the content you care about easier.

This new search experience uses Google’s latest technologies to make searching for content more intelligent than ever. The search results you’ll see will change depending on what you’re trying to accomplish and also which services are enabled for your domain. Typically, search results in the top portion will be the same type as the application you’re using, and below, you’ll see related documents, contacts, calendar events, or emails that are most relevant to what you’re searching for.


Please note: At this time, the integrated search experience will be rolled out only to G Suite Basic and G Suite Business customers (formerly called Google Apps for Work and Google Apps Unlimited).


Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Rollout pace:
Gradual rollout (More than 3 days for feature visibility)

Impact:
All end users on G Suite Basic and G Suite Business

Action:
Change management suggested/FYI


Google Groups support in Admin console audit logs

Audit logs allow Google Apps admins to monitor user activity across different applications like Calendar and Drive, giving them increased visibility for tracking and troubleshooting. Today we’re adding audit log support for Google Groups for Business.

Google Groups audit logs will provide admins with access to their users’ Google Groups activity via the Admin console and the Reports API. Admins can see an audit trail of Groups-related information, including changes to group settings and permissions, moderation actions, and membership-related actions (e.g. additions, removals, bans, unbans, invites, and joins) performed by their users in the Groups interface. In addition, admins can set up custom alerts for Groups audit events to effectively track important Groups-related activity.


Check out the Help Center and developer documentation for more information. 

Launch Details
Release track:  
Launching to both Rapid release and Scheduled release

Rollout pace: 
Full rollout (1-3 days for feature visibility)

Impact: 
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center
Developer Documentation


Note: all launches are applicable to all Google Apps editions unless otherwise noted

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Feature parity for multi-domain Google Apps instances

Complex businesses can require multiple Google Apps domain instances to meet their needs. Previously, certain domain management functionality was restricted to primary domains only, making managing multiple domains a bit cumbersome. With today’s launch, we’re extending several key features to secondary domains to make managing multiple domain instances more seamless:

  • Custom app URLs―make it easy for people in any of your domains to find your core Google Apps services by creating custom web addresses to each service. For example, mail.primarydomain.com or mail.secondarydomain.com.
  • Web address mapping―have your Google Sites appear under custom URLs for all of your domains, such as hr.yourdomain.com, hr.yourdomain.in or hr.yourdomain.fr.
  • Group renaming―create a Google Group in a primary domain and move it to a secondary domain. For example, rename the group users@yourdomain.in to users@yourdomain.fr

Check out the Help Center links below for more information.

Release track:
Rapid release and Scheduled release

For more information:
Custom app urls
Web address mapping
Group renaming


Note: all launches are applicable to all Google Apps editions unless otherwise noted

Launch release calendar
Get these product update alerts by email
Subscribe to the RSS feed of these updates