Restrict group membership

This page is for administrators who manage groups for an organization. To manage groups for your own account, visit Google Groups help.

Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

As an administrator, you can restrict internal groups or accounts from joining another of your organization’s groups by using a member restriction setting at the single-group level. You can also use this setting to let certain members from external organizations join one of your organization’s groups. 

Important: Only groups that someone from inside your organization created—not external groups, which are created outside the organization—can ever join a member-restricted group.

Use the API

Any group owner or manager with access to the API can use it for restricting membership. These users can’t make restrictions more lenient or remove them, and only admins can reverse any changes that such users make.

Use member type

Allow or exclude membership using any combination of these member categories: 

  • Group
  • User account, which a person uses
  • Service account, which an application or virtual machine uses

For example, you can allow users and service accounts into your group, but not other groups. 

Also, if you allow groups as a member type, you can place or nest a group within another group. Turn off nesting by disallowing the addition of groups inside other groups.

Considerations

  • If you add member restrictions to a group, then you can’t directly add members that violate those restrictions. (You might do so indirectly, through nesting.) 
  • While child groups may have more restrictions than their parent groups do, they must at least have the restrictions that the parent has.

Use customer ID

While you can’t restrict individual users, you can restrict further, beyond member type. Based on the customer ID that Google gives every organization, you can exclude certain external member types while allowing others. As examples, you might allow:  

  • Only internal members
  • External user accounts and only internal service accounts and groups
  • External service accounts and only internal users and groups.

Does a group already have restrictions?

Check the Security settings (beta) card on the group details page. A code underneath the Member restriction heading indicates that restrictions are in place. Because these restrictions are enforced when someone adds members to a group, adding members triggers a check on the evaluation state. Check the Evaluation state column for the current status of those restrictions. 

Evaluation state Meaning
Compliant The group only contains members that fit the current restriction criteria.
Non compliant The group contains members that do not fit the current restriction criteria, and other such members may be added to groups within the group.
Forward compliant The group contains members that do not fit the current restriction criteria, but no other such members may be added to the group.
Evaluating The system is still figuring out your evaluation state. 

Considerations

  • Removing restrictions from a nested child group makes the parent group noncompliant.
  • You can only directly add a compliant group or member. However, after someone adds a group or member, it can later become noncompliant. 
  • Even if a parent group has noncompliant child groups nested inside of it, the parent can still be compliant.

Create a group with member restrictions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenGroups.
  3. Click Create group.
  4. Enter the group infoand thenclick Next.
  5. Choose your access settingsand thenclick Next
  6. Select Restrict membership.
  7. Add conditions to the group security settings.
    As you build the query, you see the code.
  8. (Optional) To change the query, modify the options you’ve chosen or the code at the bottom.
  9. Click Create group.
    The Security settings (beta) card on the group details page displays the query that you built and the restriction status. 

Manage restrictions for an existing group

Putting member restrictions on a group means that no one can add noncompliant members to the group. The restrictions don’t kick any noncompliant members out of the group automatically. However, you can go to your member list and remove accounts from the group manually.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenGroups.
  3. Click on a groupand thengo to the group details page.
  4. Click the Security settings (beta) cardand thenSecurity settings to expand them.
  5. Choose an option:
    • Edit the query using the query builder or the code. (Point to the tooltip for details about the code.)
    • Click No restrictions to clear your queries, removing member restrictions.
  6. Click Save.
    The Restriction status could be evaluating for anywhere from a few seconds to 24 hours.

Add & remove members from groups with restrictions

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
10238723392634639108
true
Search Help Center
true
true
true
true
true
73010
false
false