Tag Archives: API

Use the Count API to estimate Vault API export sizes

Quick launch summary 

We’re adding a Count API to the Vault API. The Count API enables you to see the number of messages, files, or other data items that match a search query. 


You can use the number of items to estimate the size of the export, and then choose to proceed with the export or adjust the query to retrieve fewer items. This can help ensure a successful export by reducing the likelihood of export errors due to size. 


Getting started 

  • Admins: Visit the API documentation to learn more about the Count API and review an example
  • End users: No end user impact. 

Rollout pace 

Availability 

  • Available to Business Plus, Enterprise Standard, Enterprise Plus, Enterprise for Education, as well as other customers with the Vault add-on license 
  • Not available to Essentials, Business Starter, Business Standard, Education, and Nonprofits customers  

Resources 

Roadmap 

Use new APIs to understand and audit group memberships

What’s changing 

We’re launching new APIs in beta to help better identify, audit, and understand indirect group membership (also known as ‘transitive’ or ‘nested’ group membership, see explanation below). The indirect membership visibility, membership hierarchy, and check APIs are part of the Cloud Identity Groups API and enable you to: 
These APIs are currently available as an open beta, which means you can use it without enrolling in a specific beta program. Use our API documentation to learn more. 



Who’s impacted 

Admins and developers 



Why it’s important 

These features will help provide all of the information you need to create visualization of complex group structures and hierarchies. Having this kind of membership visibility can help you make decisions about who to add to or remove from your groups. 


Customers often use groups to manage access to content and resources within their organization. Using ‘nested’ groups is common as it can decrease duplication, simplify administration, and centralize access management. 


However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access to content or resources and why they have access. These APIs simplify finding out these answers by making it easier to identify the direct and indirect members for a group. Some use cases include: 
  • A security team can quickly identify all group memberships and associated nested memberships when a bad actor account is identified. 
  • An admin could perform a deep-dive on group structure for audit and compliance. By using the APIs to list and validate direct and indirect members for groups with many nested groups. 
  • A developer could extract group information via the API and feed it to a visualization tool that supports DOT format to make auditing and visualizing complex nested structures easier. 


Additional details 

Indirect memberships, also known as transitive memberships, come from ‘nested’ groups. Nested groups refer to situations where groups are members of other groups. As a result, users in the sub-group are members of both groups. For example, group Y is a member of group X. Users in group Y are direct members of group Y and indirect members of group X. 


Getting started 

Rollout pace 

  • This feature is available now for all users in beta. 

Availability 

  • Available to Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to Essentials, Business Starter, Business Standard, Business Plus, Education, Nonprofits, and Cloud Identity Free customers 

Resources 

Use new APIs to understand and audit group memberships

What’s changing 

We’re launching new APIs in beta to help better identify, audit, and understand indirect group membership (also known as ‘transitive’ or ‘nested’ group membership, see explanation below). The indirect membership visibility, membership hierarchy, and check APIs are part of the Cloud Identity Groups API and enable you to: 
These APIs are currently available as an open beta, which means you can use it without enrolling in a specific beta program. Use our API documentation to learn more. 



Who’s impacted 

Admins and developers 



Why it’s important 

These features will help provide all of the information you need to create visualization of complex group structures and hierarchies. Having this kind of membership visibility can help you make decisions about who to add to or remove from your groups. 


Customers often use groups to manage access to content and resources within their organization. Using ‘nested’ groups is common as it can decrease duplication, simplify administration, and centralize access management. 


However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access to content or resources and why they have access. These APIs simplify finding out these answers by making it easier to identify the direct and indirect members for a group. Some use cases include: 
  • A security team can quickly identify all group memberships and associated nested memberships when a bad actor account is identified. 
  • An admin could perform a deep-dive on group structure for audit and compliance. By using the APIs to list and validate direct and indirect members for groups with many nested groups. 
  • A developer could extract group information via the API and feed it to a visualization tool that supports DOT format to make auditing and visualizing complex nested structures easier. 


Additional details 

Indirect memberships, also known as transitive memberships, come from ‘nested’ groups. Nested groups refer to situations where groups are members of other groups. As a result, users in the sub-group are members of both groups. For example, group Y is a member of group X. Users in group Y are direct members of group Y and indirect members of group X. 


Getting started 

Rollout pace 

  • This feature is available now for all users in beta. 

Availability 

  • Available to Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to Essentials, Business Starter, Business Standard, Business Plus, Education, Nonprofits, and Cloud Identity Free customers 

Resources 

Lock files via the Google Drive API to prevent content edits

What’s changing 

You can now add and remove content restrictions via the Drive API. By using the new ContentRestriction API, any file type in Drive can be “locked,” preventing changes to the item’s content, title, and comments. 

Content restrictions can be added or removed via the API and removed via Google Drive on the web by any user who has at least editor access level for the item. 

Learn more about the new API functions in this Drive ContentRestriction (Locking) API documentation


Who’s impacted 

Admins, end users, and developers 


Why you’d use it 

While Google Drive’s collaborative editing and commenting features are often helpful and beneficial, sometimes it’s important to know that changes are not being made to a document. Locking a file with the ContentRestriction API can help accomplish this, and could be used to: 
  • Lock authoritative versions of documents to create “official” or “final” documents for record keeping. 
  • Prevent changes to documents that are involved in a workflow, automation, or business process. 
  • Freezing activity on a document for a period of reviews or audits. 

Getting started 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to all customers 

Resources 

Roadmap 

Lock files via the Google Drive API to prevent content edits

What’s changing 

You can now add and remove content restrictions via the Drive API. By using the new ContentRestriction API, any file type in Drive can be “locked,” preventing changes to the item’s content, title, and comments. 

Content restrictions can be added or removed via the API and removed via Google Drive on the web by any user who has at least editor access level for the item. 

Learn more about the new API functions in this Drive ContentRestriction (Locking) API documentation


Who’s impacted 

Admins, end users, and developers 


Why you’d use it 

While Google Drive’s collaborative editing and commenting features are often helpful and beneficial, sometimes it’s important to know that changes are not being made to a document. Locking a file with the ContentRestriction API can help accomplish this, and could be used to: 
  • Lock authoritative versions of documents to create “official” or “final” documents for record keeping. 
  • Prevent changes to documents that are involved in a workflow, automation, or business process. 
  • Freezing activity on a document for a period of reviews or audits. 

Getting started 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education, Enterprise for Education, and Nonprofits customers

Resources 

Roadmap 

Dynamic groups beta enables automatic group membership management

What’s changing 

Dynamic groups let you create a group with membership that is automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations. You can manage dynamic groups in the Cloud Identity Groups API and the Admin console. 

Dynamic groups is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins and developers with group create and user read privileges


Why you’d use it 

Dynamic groups work the same as other Google Groups with the added benefit that their memberships are automatically kept up-to-date. This means you can use them for the same functions, including for distribution lists, access-control list (ACL) management, and more. By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins. 

Here are some examples of how you can use dynamic groups. You can create groups of: 
  • All users based in your New York office, which you can then use for email communications related to that office location. 
  • All engineers, which you can then use to provide access to specific tools. 


Additional details 

At launch, you won’t be able to manage policies such as context-aware access policies using dynamic groups. Once available, you will be able to create a dynamic group which you could then use to manage specific context-aware access policies. We are working on adding this functionality in the future, and will announce it on the G Suite Updates blog when it’s available. 


Getting started 



Rollout pace 

  • This feature is available now for all eligible users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Essentials, G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 

Dynamic groups beta enables automatic group membership management

What’s changing 

Dynamic groups let you create a group with membership that is automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations. You can manage dynamic groups in the Cloud Identity Groups API and the Admin console. 

Dynamic groups is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins and developers with group create and user read privileges


Why you’d use it 

Dynamic groups work the same as other Google Groups with the added benefit that their memberships are automatically kept up-to-date. This means you can use them for the same functions, including for distribution lists, access-control list (ACL) management, and more. By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins. 

Here are some examples of how you can use dynamic groups. You can create groups of: 
  • All users based in your New York office, which you can then use for email communications related to that office location. 
  • All engineers, which you can then use to provide access to specific tools. 


Additional details 

At launch, you won’t be able to manage policies such as context-aware access policies using dynamic groups. Once available, you will be able to create a dynamic group which you could then use to manage specific context-aware access policies. We are working on adding this functionality in the future, and will announce it on the G Suite Updates blog when it’s available. 


Getting started 



Rollout pace 

  • This feature is available now for all eligible users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Essentials, G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 

Group membership expiration available in beta

What’s changing 

We’re adding the ability to set expirations for group memberships using the Cloud Identity Groups API. This enables admins to set an amount of time that users are members of a group. Once the specified time has passed, users will be removed from the group automatically. 

Membership expiry is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins and developers 


Why it’s important 

Groups are a powerful way to manage permissions and access control in your organization.In many cases,, there’s a known amount of time that a user should be a member of a group. This can make managing membership time consuming, and increases the possibility that a user has overly-broad access. 

Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. This can help: 
  • Increase security by ensuring users do not have long lived membership in groups, and that your group memberships don’t become too expansive. 
  • Manage security groups by using group membership with our recent launch of security groups
  • Reduce admin time and administration costs by automating some group management tasks 

Getting started 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, G Suite Essentials, and Cloud Identity Free customers 

Resources 

Group membership expiration available in beta

What’s changing 

We’re adding the ability to set expirations for group memberships using the Cloud Identity Groups API. This enables admins to set an amount of time that users are members of a group. Once the specified time has passed, users will be removed from the group automatically. 

Membership expiry is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins and developers 


Why it’s important 

Groups are a powerful way to manage permissions and access control in your organization.In many cases,, there’s a known amount of time that a user should be a member of a group. This can make managing membership time consuming, and increases the possibility that a user has overly-broad access. 

Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. This can help: 
  • Increase security by ensuring users do not have long lived membership in groups, and that your group memberships don’t become too expansive. 
  • Manage security groups by using group membership with our recent launch of security groups
  • Reduce admin time and administration costs by automating some group management tasks 

Getting started 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, G Suite Essentials, and Cloud Identity Free customers 

Resources 

Service accounts in Google Groups and with Groups API now generally available

Quick launch summary 

We recently announced betas for two new features related to service accounts. Now, these features are generally available: 
  • Support for service accounts in Google Groups, which makes it easier to use service accounts with groups while increasing security and transparency. Learn more
  • Use service accounts with Google Groups APIs without domain-wide delegation, which enables service accounts to perform critical business processes without compromising your strong security and compliance posture. Learn more

Groups are a critical tool for customers to manage their G Suite deployment. Many customers use service accounts with Groups to automate user management, manage migrations, and integrate G Suite with other apps, tools, and services. Use the announcements linked above to learn more about the features and how you can use them. 

Learn more about these and other launches in our Security Blog post highlighting 10 new security and management controls for security at scale

Service accounts in Google Groups 

Getting started 

Rollout pace 

Availability 

  • Available to all G Suite customers 

Resources