Tag Archives: API

Lock files via the Google Drive API to prevent content edits

What’s changing 

You can now add and remove content restrictions via the Drive API. By using the new ContentRestriction API, any file type in Drive can be “locked,” preventing changes to the item’s content, title, and comments. 

Content restrictions can be added or removed via the API and removed via Google Drive on the web by any user who has at least editor access level for the item. 

Learn more about the new API functions in this Drive ContentRestriction (Locking) API documentation


Who’s impacted 

Admins, end users, and developers 


Why you’d use it 

While Google Drive’s collaborative editing and commenting features are often helpful and beneficial, sometimes it’s important to know that changes are not being made to a document. Locking a file with the ContentRestriction API can help accomplish this, and could be used to: 
  • Lock authoritative versions of documents to create “official” or “final” documents for record keeping. 
  • Prevent changes to documents that are involved in a workflow, automation, or business process. 
  • Freezing activity on a document for a period of reviews or audits. 

Getting started 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to all customers 

Resources 

Roadmap 

Lock files via the Google Drive API to prevent content edits

What’s changing 

You can now add and remove content restrictions via the Drive API. By using the new ContentRestriction API, any file type in Drive can be “locked,” preventing changes to the item’s content, title, and comments. 

Content restrictions can be added or removed via the API and removed via Google Drive on the web by any user who has at least editor access level for the item. 

Learn more about the new API functions in this Drive ContentRestriction (Locking) API documentation


Who’s impacted 

Admins, end users, and developers 


Why you’d use it 

While Google Drive’s collaborative editing and commenting features are often helpful and beneficial, sometimes it’s important to know that changes are not being made to a document. Locking a file with the ContentRestriction API can help accomplish this, and could be used to: 
  • Lock authoritative versions of documents to create “official” or “final” documents for record keeping. 
  • Prevent changes to documents that are involved in a workflow, automation, or business process. 
  • Freezing activity on a document for a period of reviews or audits. 

Getting started 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education, Enterprise for Education, and Nonprofits customers

Resources 

Roadmap 

Dynamic groups beta enables automatic group membership management

What’s changing 

Dynamic groups let you create a group with membership that is automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations. You can manage dynamic groups in the Cloud Identity Groups API and the Admin console. 

Dynamic groups is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins and developers with group create and user read privileges


Why you’d use it 

Dynamic groups work the same as other Google Groups with the added benefit that their memberships are automatically kept up-to-date. This means you can use them for the same functions, including for distribution lists, access-control list (ACL) management, and more. By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins. 

Here are some examples of how you can use dynamic groups. You can create groups of: 
  • All users based in your New York office, which you can then use for email communications related to that office location. 
  • All engineers, which you can then use to provide access to specific tools. 


Additional details 

At launch, you won’t be able to manage policies such as context-aware access policies using dynamic groups. Once available, you will be able to create a dynamic group which you could then use to manage specific context-aware access policies. We are working on adding this functionality in the future, and will announce it on the G Suite Updates blog when it’s available. 


Getting started 



Rollout pace 

  • This feature is available now for all eligible users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Essentials, G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 

Dynamic groups beta enables automatic group membership management

What’s changing 

Dynamic groups let you create a group with membership that is automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations. You can manage dynamic groups in the Cloud Identity Groups API and the Admin console. 

Dynamic groups is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins and developers with group create and user read privileges


Why you’d use it 

Dynamic groups work the same as other Google Groups with the added benefit that their memberships are automatically kept up-to-date. This means you can use them for the same functions, including for distribution lists, access-control list (ACL) management, and more. By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins. 

Here are some examples of how you can use dynamic groups. You can create groups of: 
  • All users based in your New York office, which you can then use for email communications related to that office location. 
  • All engineers, which you can then use to provide access to specific tools. 


Additional details 

At launch, you won’t be able to manage policies such as context-aware access policies using dynamic groups. Once available, you will be able to create a dynamic group which you could then use to manage specific context-aware access policies. We are working on adding this functionality in the future, and will announce it on the G Suite Updates blog when it’s available. 


Getting started 



Rollout pace 

  • This feature is available now for all eligible users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Essentials, G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 

Group membership expiration available in beta

What’s changing 

We’re adding the ability to set expirations for group memberships using the Cloud Identity Groups API. This enables admins to set an amount of time that users are members of a group. Once the specified time has passed, users will be removed from the group automatically. 

Membership expiry is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins and developers 


Why it’s important 

Groups are a powerful way to manage permissions and access control in your organization.In many cases,, there’s a known amount of time that a user should be a member of a group. This can make managing membership time consuming, and increases the possibility that a user has overly-broad access. 

Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. This can help: 
  • Increase security by ensuring users do not have long lived membership in groups, and that your group memberships don’t become too expansive. 
  • Manage security groups by using group membership with our recent launch of security groups
  • Reduce admin time and administration costs by automating some group management tasks 

Getting started 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, G Suite Essentials, and Cloud Identity Free customers 

Resources 

Group membership expiration available in beta

What’s changing 

We’re adding the ability to set expirations for group memberships using the Cloud Identity Groups API. This enables admins to set an amount of time that users are members of a group. Once the specified time has passed, users will be removed from the group automatically. 

Membership expiry is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins and developers 


Why it’s important 

Groups are a powerful way to manage permissions and access control in your organization.In many cases,, there’s a known amount of time that a user should be a member of a group. This can make managing membership time consuming, and increases the possibility that a user has overly-broad access. 

Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. This can help: 
  • Increase security by ensuring users do not have long lived membership in groups, and that your group memberships don’t become too expansive. 
  • Manage security groups by using group membership with our recent launch of security groups
  • Reduce admin time and administration costs by automating some group management tasks 

Getting started 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, G Suite Essentials, and Cloud Identity Free customers 

Resources 

Service accounts in Google Groups and with Groups API now generally available

Quick launch summary 

We recently announced betas for two new features related to service accounts. Now, these features are generally available: 
  • Support for service accounts in Google Groups, which makes it easier to use service accounts with groups while increasing security and transparency. Learn more
  • Use service accounts with Google Groups APIs without domain-wide delegation, which enables service accounts to perform critical business processes without compromising your strong security and compliance posture. Learn more

Groups are a critical tool for customers to manage their G Suite deployment. Many customers use service accounts with Groups to automate user management, manage migrations, and integrate G Suite with other apps, tools, and services. Use the announcements linked above to learn more about the features and how you can use them. 

Learn more about these and other launches in our Security Blog post highlighting 10 new security and management controls for security at scale

Service accounts in Google Groups 

Getting started 

Rollout pace 

Availability 

  • Available to all G Suite customers 

Resources 

Service accounts in Google Groups and with Groups API now generally available

Quick launch summary 

We recently announced betas for two new features related to service accounts. Now, these features are generally available: 
  • Support for service accounts in Google Groups, which makes it easier to use service accounts with groups while increasing security and transparency. Learn more
  • Use service accounts with Google Groups APIs without domain-wide delegation, which enables service accounts to perform critical business processes without compromising your strong security and compliance posture. Learn more

Groups are a critical tool for customers to manage their G Suite deployment. Many customers use service accounts with Groups to automate user management, manage migrations, and integrate G Suite with other apps, tools, and services. Use the announcements linked above to learn more about the features and how you can use them. 

Learn more about these and other launches in our Security Blog post highlighting 10 new security and management controls for security at scale

Service accounts in Google Groups 

Getting started 

Rollout pace 

Availability 

  • Available to all G Suite customers 

Resources 

New APIs to sign out users and control 2-Step Verification

Quick launch summary 

We’re adding two new APIs to the Admin SDK Directory API


Sign user out of all sessions 
This new endpoint allows an admin to programmatically sign a user out of all web and device sessions. This can help manage account access when users leave an organization, if a device is lost or misplaced, or if a user forgot to sign out of a shared device. We do not recommend using this to sign users out and force a sign-in periodically; you can explore the Google web session control feature for that use case. 


Turn off 2-Step Verification 
This new endpoint allows an admin to turn 2-Step Verification (2SV) off programmatically. This action also removes all 2SV methods on the account. Note that in some cases, 2SV cannot be turned off for a user due to other policies that may be in effect. For example, a user may be enrolled in the Advanced Protection Program, or “2SV enforced” is turned on; in such cases the API will fail with an appropriate error code and message. 

Note that both of these actions can already be performed via the Admin console. The current launch makes them accessible via API as well so they can be integrated into automated offboarding workflows. 


Getting started 

  • Admins and developers: This feature will be available via the Admin SDK Directory API. Use the API documentation to learn more about the new endpoints to sign users out or turn off 2-Step Verification
  • End users: There is no end user setting for this feature. 

Rollout pace  

Availability 

  • Available to all G Suite customers 

Resources 

Security groups help manage groups used for security and access control

What’s changing 

We’re making security groups available in beta. Security groups help you easily regulate, audit, and monitor groups used for permission and access control purposes. They enable admins to: 
  • Apply a label to any existing Google Group to distinguish it from email-list groups. 
  • Provide strong guarantees that: 
    • External groups (owned outside your organization) and non-security groups cannot be added as a member of a security group. 
    • Security labels, once assigned to a group, cannot be removed. 
Soon, you’ll be able to use more granular admin roles to separate administration of security and non-security groups. Keep an eye on the G Suite Updates blog for an announcement when that rolls out. 


Who’s impacted 

Admins and developers 


Why you’d use it 

Groups are used in a variety of ways. This can include groups that help teams communicate and collaborate, as well as groups that control access to important apps and resources. Security groups can help customers manage these categories of groups differently to increase their overall security posture. 

For example, if you have compliance or regulatory requirements for managing access control, you may have set up naming conventions to keep track of which groups were used for this purpose. With security groups, you can now assign a security label to these groups and more easily manage them without having to use workarounds like naming conventions. 


Getting started 

Rollout pace 

  • This feature is available now for all users in beta. 

Availability 

  • Available to all G Suite customers 

Resources