What’s changing
We’re launching new APIs in beta to help better identify, audit, and understand indirect group membership (also known as ‘transitive’ or ‘nested’ group membership, see explanation below). The indirect membership visibility, membership hierarchy, and check APIs are part of the Cloud Identity Groups API and enable you to:
These APIs are currently available as an open beta, which means you can use it without enrolling in a specific beta program. Use our API documentation to learn more.
Who’s impacted
Admins and developers
Why it’s important
These features will help provide all of the information you need to create visualization of complex group structures and hierarchies. Having this kind of membership visibility can help you make decisions about who to add to or remove from your groups.
Customers often use groups to manage access to content and resources within their organization. Using ‘nested’ groups is common as it can decrease duplication, simplify administration, and centralize access management.
However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access to content or resources and why they have access. These APIs simplify finding out these answers by making it easier to identify the direct and indirect members for a group. Some use cases include:
- A security team can quickly identify all group memberships and associated nested memberships when a bad actor account is identified.
- An admin could perform a deep-dive on group structure for audit and compliance. By using the APIs to list and validate direct and indirect members for groups with many nested groups.
- A developer could extract group information via the API and feed it to a visualization tool that supports DOT format to make auditing and visualizing complex nested structures easier.
Additional details
Indirect memberships, also known as transitive memberships, come from ‘nested’ groups. Nested groups refer to situations where groups are members of other groups. As a result, users in the sub-group are members of both groups. For example, group Y is a member of group X. Users in group Y are direct members of group Y and indirect members of group X.
Getting started
- Admins and developers: This is available to all users in beta. See our developer documentation for more details on the Cloud Identity Groups API and the Membership Hierarchy and Visibility API Guide.
- End users: End users can use the API within the scope they have to create and manage groups. See our developer documentation for more details on how to use the Cloud Identity Groups API.
Rollout pace
- This feature is available now for all users in beta.
Availability
- Available to Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers
- Not available to Essentials, Business Starter, Business Standard, Business Plus, Education, Nonprofits, and Cloud Identity Free customers