Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Ringkasan Groups API
Dengan Cloud Identity Groups API, Anda dapat membuat dan mengelola berbagai jenis grup, yang masing-masing mendukung fitur yang berbeda, serta keanggotaannya.
Jenis grup
Grup adalah kumpulan entitas, di mana setiap entitas dapat berupa grup lain atau pengguna. Cloud Identity Groups API mendukung jenis grup berikut:
Google Grup
Google Grup memiliki alamat email dan sering digunakan sebagai milis. Google Grup juga dapat digunakan di banyak produk Google.
Misalnya, Anda dapat membagikan Dokumen Google kepada grup, mengundang grup ke acara Google Kalender, atau menggunakan grup untuk pengelolaan akses di IAM.
Grup Google adalah jenis grup default.
Grup dinamis
Grup dinamis adalah Google Grup yang keanggotaannya dikelola secara otomatis menggunakan kueri keanggotaan atau kueri tentang atribut karyawan, seperti peran pekerjaan atau lokasi gedung. Misalnya, kueri keanggotaan mungkin berupa "semua pengguna yang peran pekerjaannya adalah Penulis Teknis di organisasi saya".
Grup keamanan
Grup keamanan mirip dengan Grup Google, tetapi digunakan secara khusus untuk
mengontrol akses ke sumber daya organisasi. Grup keamanan dibuat dengan mengubah Google Grup menjadi grup keamanan.
Grup terkunci
Grup yang dikunci adalah Google
Grup yang telah dikunci oleh administrator agar sinkronisasi dengan sumber eksternal tetap terjaga, seperti penyedia identitas.
Administrator juga dapat mengunci Google Grup untuk meningkatkan keamanan grup sensitif. Saat Anda mengunci Grup Google, pengeditan atribut inti dan keanggotaan dibatasi untuk sebagian administrator.
Meskipun pemilik, pengelola, dan anggota grup standar masih dapat memperbarui setelan seperti moderasi pesan atau izin memposting, modifikasi pada atribut berikut dibatasi untuk administrator yang berwenang. Administrator
yang diberi otorisasi biasanya adalah mereka yang memiliki peran atau kondisi tertentu seperti
Groups Admin atau Groups Editor dengan kondisi yang mencakup grup
yang dikunci.
Grup POSIX (Tidak digunakan lagi)
Grup POSIX adalah Grup Google yang digunakan untuk mengelola keanggotaan grup di lingkungan LDAP. Grup POSIX dibuat dengan memperbarui Grup Google menggunakan data POSIX. Data grup POSIX mencakup nama grup dan ID grup (GID).
Grup POSIX terintegrasi dengan Google Cloud dan digunakan oleh VM di organisasi Anda yang mengaktifkan Login OS.
Grup dengan pemetaan identitas
Grup dengan pemetaan identitas adalah grup yang berisi pengguna dan grup yang disinkronkan dari sumber identitas non-Google, seperti Active Directory. Grup yang dipetakan identitas memungkinkan Google Cloud Search mengenali pengguna dan grup, serta izin mereka untuk dokumen yang dicari, yang disimpan di sumber identitas eksternal. Misalnya, Anda mungkin memiliki pengguna example_user_org@your_domain.com yang memiliki izin tertentu untuk dokumen. Pengguna ini dapat disinkronkan ke example_user@your_domain.com sehingga Google Cloud Search mengenali izin yang sama untuk dokumen yang sama.
Permintaan pembuatan grup Cloud Identity Groups API hanya diizinkan dari akun layanan.
Untuk menyinkronkan grup dengan pemetaan identitas di Google Cloud Search, Anda harus membuat konektor identitas. Jika menggunakan Java, Anda dapat membuat konektor identitas menggunakan
Google Cloud Search Java SDK. Jika ingin menggunakan REST API, Anda dapat menggunakan
Cloud Identity Groups API. Untuk mengetahui informasi selengkapnya tentang konektor identitas, lihat Menyinkronkan berbagai sistem identitas dalam dokumentasi Cloud Search.
Properti grup
Setiap grup, terlepas dari jenisnya, memiliki properti berikut:
Label
Label mengidentifikasi jenis grup:
Google Grup:cloudidentity.googleapis.com/groups.discussion_forum
Grup dinamis:cloudidentity.googleapis.com/groups.dynamic
Grup keamanan:cloudidentity.googleapis.com/groups.security
(label ini ditambahkan ke
cloudidentity.googleapis.com/groups.discussion_forum, karena grup keamanan
didasarkan pada Google Grup)
Grup terkunci:cloudidentity.googleapis.com/groups.locked
(label ini ditambahkan ke
cloudidentity.googleapis.com/groups.discussion_forum, karena grup
terkunci didasarkan pada Google Grup)
Grup POSIX:cloudidentity.googleapis.com/groups.posix (label ini ditambahkan ke cloudidentity.googleapis.com/groups.discussion_forum, karena grup POSIX didasarkan pada Google Grup)
Grup dengan pemetaan identitas:system/groups/external
Kunci entitas
Kunci entitas adalah ID unik yang mudah dibaca untuk
grup:
Google Grup, grup dinamis, dan grup keamanan: alamat email grup
Grup dengan pemetaan identitas: string yang memenuhi syarat dengan namespace. Namespace dibuat saat Anda membuat sumber identitas di Google Cloud Search.
Untuk mengetahui informasi lebih lanjut tentang sumber identitas, lihat Menyinkronkan berbagai sistem identitas dalam dokumentasi Cloud Search.
Induk
Induk adalah resource tempat grup berada. Untuk Google Grup, grup dinamis, dan grup keamanan, induknya adalah pelanggan yang memiliki domain. Untuk grup dengan pemetaan identitas, induknya adalah sumber identitas tempat grup disinkronkan.
Nama tampilan
Nama tampilan adalah nama grup sebagaimana muncul di produk Google.
Keanggotaan dan properti keanggotaan
Entitas yang termasuk dalam grup disebut sebagai anggota dan hubungannya dengan grup tersebut disebut sebagai keanggotaan. Entitas dapat berupa pengguna, grup, atau akun layanan. Keanggotaan
memiliki properti berikut:
Kunci anggota pilihan
Kunci anggota pilihan adalah ID unik yang dapat dibaca manusia untuk anggota.
Untuk Grup Google atau pengguna perorangan, kunci anggota pilihan adalah alamat email grup atau pengguna. Untuk grup yang dipetakan identitasnya, kunci anggota
yang disukai adalah string yang memenuhi syarat dengan namespace.
Peran keanggotaan
Peran keanggotaan mewakili izin yang dimiliki anggota dalam grup.
Peran yang didukung adalah sebagai berikut:
MEMBER, yang tidak memiliki izin khusus. Setiap keanggotaan harus memiliki
setidaknya peran keanggotaan MEMBER.
OWNER, yang memiliki izin luas, seperti mengelola OWNER lain atau
menghapus grup.
MANAGER, yang memiliki lebih sedikit izin daripada OWNER, tetapi lebih banyak daripada MEMBER, seperti mengelola MANAGER lain.
Anda dapat mengimpor pengguna dan grup yang belum ada di Cloud Identity
sebagai sumber identitas eksternal. Anda harus membuat
sumber identitas
untuk organisasi Anda terlebih dahulu, lalu mengimpor informasi pengguna dan grup ke
Cloud Identity.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-18 UTC."],[[["\u003cp\u003eThe Cloud Identity Groups API enables the creation and management of various group types, including Google Groups, dynamic groups, security groups, locked groups, POSIX groups (deprecated), and identity-mapped groups, each with distinct functionalities.\u003c/p\u003e\n"],["\u003cp\u003eDynamic groups automatically manage memberships based on queries or employee attributes, and are available to certain Google Workspace accounts with a limit of 500 per customer.\u003c/p\u003e\n"],["\u003cp\u003eSecurity groups are specialized Google Groups used to control access to organizational resources and, once updated to a security group, cannot be reverted back to a standard Google Group.\u003c/p\u003e\n"],["\u003cp\u003eLocked groups are Google Groups that administrators restrict to prevent synchronization issues or to enhance security, limiting modifications to core attributes and memberships to authorized administrators only.\u003c/p\u003e\n"],["\u003cp\u003eIdentity-mapped groups sync users and groups from external identity sources to allow services like Google Cloud Search to recognize permissions, and can only be managed through the Groups API, not the Google Admin console.\u003c/p\u003e\n"]]],[],null,["# Groups API overview\n===================\n\nThe Cloud Identity Groups API allows you to create and manage different types\nof groups, each of which supports different features, as well as their\nmemberships.\n| **Note:** The Cloud Identity Groups API only works with [Google Groups for Business](https://support.google.com/a/answer/33329). If you want to create and manage non-business Google Groups, you can use the [Google Groups web interface](https://groups.google.com).\n\nGroup types\n-----------\n\nA *group* is a collection of *entities*, where each entity can be either another\ngroup or a user. The Cloud Identity Groups API supports the following group types:\n\n*Google Groups*\n: Google Groups have an email address and are frequently used\n as mailing lists. Google Groups can also be used across many Google products.\n For example. you can share a Google Doc with a group, invite a group to a Google\n Calendar event, or use a group for access management in IAM.\n A Google Group is the default group type.\n\n*Dynamic groups*\n\n: Dynamic groups are Google Groups whose memberships are automatically managed\n using a membership query or a query on employee attributes, such as job role or\n building location. For example, a membership query might be \"all users whose job\n role is Technical Writer in my organization.\"\n\n:\n | **Note:** Dynamic groups are only available to Google Workspace Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity premium accounts. You can create up to 500 dynamic groups per customer. This limit can be increased on a case-by-case basis---contact [Google Workspace Support](https://support.google.com/a/answer/1047213) with your specific use case to request an increase.\n\n*Security groups*\n\n: A security group is similar to a Google Group, but is used specifically for\n controlling access to organizational resources. A security group is created by\n updating a Google Group to a security group.\n\n | **Warning:** A security group cannot be changed back to a Google Group.\n\n*Locked groups*\n\n: A [locked](https://support.google.com/a?p=locked-groups) group is a Google\n Group that administrators have locked to prevent it from getting out of\n synchronization with an external source, such as an identity provider.\n Administrators can also lock a Google Group to increase security for\n sensitive groups. When you lock a Google Group, edits to core attributes and\n memberships are restricted to a subset of administrators.\n\n While standard group owners, managers, and members can still update settings\n like message moderation or posting permissions, modifications to the\n following attributes are limited to authorized administrators. Authorized\n administrators are typically those with specific roles or conditions like\n `Groups Admin` or `Groups Editor` with a condition that includes locked\n groups.\n\n*POSIX groups* (Deprecated)\n:\n | **Caution:** POSIX groups are [deprecated](/identity/docs/deprecations). As of September 26, 2024, you can no longer create new POSIX groups. For more information, see [POSIX groups deprecation](/identity/docs/deprecations/posix-groups).\n\n: A POSIX group is a Google Group that is used to manage\n group membership in LDAP environments. A POSIX group is created by\n updating a Google Group with POSIX data. The POSIX group data includes a group\n name and group ID (GID).\n\n POSIX groups are integrated with Google Cloud and are used by VMs in your\n organization that have OS Login enabled.\n:\n | **Note:** You must use the beta version of the Cloud Identity Groups API to create and manage POSIX groups.\n\n*Identity-mapped groups*\n\n: An identity-mapped group is a group containing users and groups synced\n from a non-Google identity source, such as Active Directory. Identity-mapped\n groups allow [Google Cloud Search](https://developers.google.com/cloud-search)\n to recognize users and groups, and their permissions to searched documents,\n stored in an external identity source. For example, you\n might have a user `example_user_org@your_domain.com` who has certain\n permissions to documents. This user can be synced to `example_user@your_domain.com` so\n that Google Cloud Search recognizes their same permissions to the same\n documents.\n\nCloud Identity Groups API group creation requests are permitted only from service accounts.\n\n: To sync identity-mapped groups in Google Cloud Search, you must create an identity\n connector. If you are using Java, you can create an identity connector using the\n Google Cloud Search Java SDK. If you want to use a REST API, you can use the\n Cloud Identity Groups API. For further information on identity connectors, refer to\n [Sync different identity systems](https://developers.google.com/cloud-search/docs/guides/identity-mapping)\n in the Cloud Search documentation.\n\n| **Note:** Identity-mapped groups can only be created and accessed through the Groups API. For example, you cannot view identity groups in the Google Admin console.\n\nGroup properties\n----------------\n\nEach group, regardless of type, has the following properties:\n\n*Label*\n: The label identifies the type of group:\n\n - **Google Groups:** `cloudidentity.googleapis.com/groups.discussion_forum`\n - **Dynamic groups:** `cloudidentity.googleapis.com/groups.dynamic`\n - **Security groups:** `cloudidentity.googleapis.com/groups.security` (this label is in addition to `cloudidentity.googleapis.com/groups.discussion_forum`, because security groups are based on Google Groups)\n - **Locked groups:** `cloudidentity.googleapis.com/groups.locked` (this label is in addition to `cloudidentity.googleapis.com/groups.discussion_forum`, because locked groups are based on Google Groups)\n - **POSIX groups:** `cloudidentity.googleapis.com/groups.posix` (this label is in addition to `cloudidentity.googleapis.com/groups.discussion_forum`, because POSIX groups are based on Google Groups)\n - **Identity-mapped groups:** `system/groups/external`\n\n*Entity key*\n\n: An entity key is a human-readable unique identifier for the\n group:\n\n - **Google Groups, dynamic groups, and security groups:** the email address of the group\n - **Identity-mapped groups:** a string qualified with a namespace. The namespace is established when you create an identity source in Google Cloud Search. For further information on identity sources, refer to [Sync different identity systems](https://developers.google.com/cloud-search/docs/guides/identity-mapping) in the Cloud Search documentation.\n\n*Parent*\n\n: A parent is the resource to which the group belongs. For Google\n Groups, dynamic groups, and security groups, the parent is the customer who\n owns the domain. For an identity-mapped group, the parent is the identity\n source from which the group is synced.\n\n*Display name*\n\n: The display name is the name of the group as it appears in\n Google products.\n\nMemberships and membership properties\n-------------------------------------\n\nAn entity that belongs to a group is referred to as a *member* and its\nrelationship with that group is referred to as a *membership*. Entities can be\nusers, groups, or service accounts. A membership\nhas the following properties:\n\n*Preferred member key*\n: A preferred member key is a human-readable unique identifier for the member.\n For a Google Group or an individual user, the preferred member key is the email\n address of the group or user. For an identity-mapped group, the preferred member\n key is a string qualified with a namespace.\n\n*Membership roles*\n\n: Membership roles represent the permissions that the member has in the group.\n The supported roles are as follows:\n\n - `MEMBER`, which has no special permissions. Every membership must have\n at least the `MEMBER` membership role.\n\n - `OWNER`, which has broad permissions, such as managing other `OWNER`s or\n deleting the group.\n\n - `MANAGER`, which has fewer permissions than an `OWNER`, but\n more than a `MEMBER`, such as managing other `MANAGER`s.\n\nThe permissions that a specific membership role has in a group can be\ncustomized in the [Google Groups web interface](https://groups.google.com)\nor in the [Google Admin console](https://admin.google.com). For more\ninformation, see\n[Set who can view, post \\& moderate](https://support.google.com/groups/answer/2464975).\n\nYou can import users and groups that aren't already in Cloud Identity\nas an external identity source. You must first create an\n[identity source](/identity/docs/overview)\nfor your organization, then import user and group information into\nCloud Identity.\n| **Note:** The Google Groups web interface supports other membership roles such as `BANNED`. These memberships will not appear and cannot be managed in Cloud Identity Groups API.\n\nNext steps\n----------\n\nHere are a few next steps you might take:\n\n- To set up the API, refer to [Setting up the Groups API](/identity/docs/how-to/setup).\n\n- To create and manage Google Groups, see the\n [Creating and searching for Google Groups](/identity/docs/how-to/create-google-groups).\n\n- To learn more about dynamic groups, see the\n [Dynamic groups overview](/identity/docs/concepts/overview-dynamic-groups).\n\n- To update a Google Group to a security group, see\n [Update a Google Group to a security group](/identity/docs/how-to/update-group-to-security-group).\n\n- To create and manage identity-mapped groups, see\n [Creating and searching for identity-mapped groups](/identity/docs/how-to/create-identity-groups)."]]
