Difference between Google Workspace G Suite Organisational Units OU and Customize Access Groups
Vložit
- čas přidán 24. 12. 2020
- In this video, I'll explain to you the difference between the organisational unit and access group of Google Workspace. Now you've started your cloud journey with Google. It’s time to get your Google Workspace or G Suite for Education set up and running!
Useful Links
Customize access to services using access groups
support.google.com/a/answer/9...
How the organisational structure works
support.google.com/a/answer/4...
About user and device policies
support.google.com/a/answer/1...
Turn a service on or off for Google Workspace users
support.google.com/a/answer/1...
Ways to Create Group
support.google.com/a/answer/3...
Creating a mailing list
support.google.com/a/answer/9...
Organzational Policy FAQ
support.google.com/a/answer/4...
First of all, what is an organisational unit?
An organizational unit, OU, in short, is simply a group that an administrator can create in the Google Workspace Admin console to apply settings to a specific set of users. If you’re an admin at a decently sized domain you may need to have several organization units set up within your Google Workspace account. Visually, OU is quite similar to your actual "Business Organisation Structure". I'll explain it to you with examples in a moment.
As mentioned earlier, the OU determines which service a department may access and which services are off-limits. If you set up your users' accounts in their related organizational units, you can turn a service on or off, enforce policies, by the department.
In this example, you can clearly see that the OU is very similar to your "Business or School Organizational Structure". The admin placed all the teacher accounts in the teachers OU. This way, he can switch on or off the service to the teachers without affecting the other part of the organisation.
By default, the Child OU inherits the settings from the parent. For example, if the admin switches on or off service at staff OU, the management and teachers OUs will inherit the settings from the staff's OU.
Although each child inherits settings from its parent, these settings can be customised. The important thing, I want to highlight is that changing a setting at a higher level changes the setting for all sub-organisations that inherit that setting. However, custom settings remain unchanged. Therefore, the Admin should always check the effectiveness of higher-level policies on children OUs.
What is an access Group?
Access Group lets you control access for specific users without changing your organizational structure. You can turn on services for a group of users rather than an entire organizational unit.
I'll explain to you with a few examples.
Originally the Google Workspace started as the access can only be configured at the Organizational Unit (OU) level. In 2018 Google introduced Access Groups to make it possible to control access by other organizational elements. Access group is useful when you need to turn service on or off for users across or within departments. Without moving out users from the OU, you just need to put their accounts to an access group to control access.
As shown here a user can only belong to a single OU at a time. However, Users from different OUs can belong to a group or Users can belong to multiple groups. For instance, a teacher belongs to teachers OU only. While that teacher can be in the Chess Group, Charity Group and Photography group. That's a good example of how users can associate across or within OUs by taking advantage of access groups. Therefore, this type of interaction requires users to get customised services.
As mentioned earlier, in Google Workspace, you can turn on services for a group of users rather than an entire organizational unit. This lets you control access for specific users without changing your organizational structure. For example, let a group approve CZcams videos or a team share Drive files across or within the department, even with people outside of your organization.
In this example, Google Drive is turned on for the Staff OU while it is turned off for the students' OU.
The students from the literature group and photography group require access to Google Drive. So the admin can easily turn on these groups.
The group can include users from outside the domain. That means, Groups can include any users in your account. With groups, you can customize service settings for a group of users. For example, you let parents who are outside of the school domain to see the Drive files, in this case, students' assignment results.
This is the comparison table about Groups and organisational units.
Very good explanation! Thank you!
Thank you so much for your kind comments.