If you have fewer than 50 users, it might be simpler to use only organizational units to Turn a service on or off for Google Workspace users.
If you turn off a service for one or more organizational units, you can turn it on for some members by using an access group. This lets you grant access for specific users without changing your organizational structure.
Example: YouTube is currently turned off for all organizational units. But some people in Marketing and Sales need access to YouTube. To override those peopleâs organizational unit settings for this policy, place them in a access group and turn on YouTube for that group.
On this page
- Options for giving users access to services
- How to use access groups
- Set up an access group
- Verify your settings
- Edit access groups
- Troubleshooting
Options for giving users access to services
In the Google Admin console, you can turn off an organizational unitâs access to a Google service, such as Google Drive. Then, if some users in that organizational unit need to use Drive, you have 2 options:
- Move the users to an organizational unit that has Drive turned on.
- Or add the users an access group and turn on Drive for the group. Each member can access the service, even if their organizational unit has the service turned off.
Organizational units | With an access group |
---|---|
Google Drive is turned off for organizational units 1 and 2 |
But a group of users within organizational units 1 and 2 can use Google Drive |
How to use access groups
Access groups can turn on user access to Google services. An access group canât turn off user access to a service thatâs turned on for an organizational unit.
- Access groups can include any users or groups in your organization.
- You can create a group as an access group or use an existing group.
- Access groups control only whether a service is on for a user. You control service settings (such as Drive sharing) using an organizational unit or configuration group. Learn more
Expand section | Collapse all & go to top
Access groups | Organizational units | |
---|---|---|
Function |
Turn on services. |
|
Service access | Turn on service for users in the group. Always overrides the organizational unit's setting. | Turn service on or off for users in the organizational unit. |
Services supported | ||
User membership | Users from different organizational units can belong to a group. Users can belong to multiple groups. | A user belongs to a single organizational unit. |
Inheritance | Yes. Groups within a group get access to the service. | Yes. Organizational units can inherit or override the parent organizational unit setting. |
Automatic user licensing | No | Yes |
Access groups override service access for an organizational unit. To override service settings, such as Drive sharing, use a configuration group.
Go to Customize service settings with configuration groups.
Tip: The same group can be used as both an access group and a configuration group. You can therefore use one group to give users access to a service and customize settings for the service.
Set up an access group
Follow these steps to turn on a service using an access group.
Note: To set up access groups for password vaulted apps, see Get started with password vaulted apps.
Expand section | Collapse all & go to top
Step 1. List group members and their organizational unitsIdentify the organizational unit for each user that you want to place in the access group. For services included with certain editions, such as Google Vault, check that users have licenses assigned.
Set your general policy by turning off the service for each user's organizational unit. This setting applies to all users in the organizational unit. (Later, you'll turn on service access for your access group.)
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu Apps.
- Click the type of service: Google Workspace, Additional Google services, Web and mobile apps, or Google Workspace Marketplace apps.
- Select the organizational unit for a user in the access group.
- On the right, point at the row for the service.
- Click Turn Off.
- If needed, repeat for the organizational units of other group members.
You can create a group to use as a access group, or use an existing group.
Your group must be created in one of the following ways:
Important: Groups created in Google Groups can't be used as access groups. To check how a group was created, use the Groups API.
A dynamic group requires the security label, to be used as a access group.
If your group meets the above criteria, it will be available when turning on a service for a group.
For this step, you need admin privileges for Groups, Organizational Units (top-level), and Service Settings. Learn more about Administrator privilege definitions.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu Apps.
- Click the type of service: Google Workspace, Additional Google services, Web and mobile apps, or Google Workspace Marketplace apps.
- In the Groups section, find and select your group:
- To view the list of access groups, click Search for a group.
- Search by group name or address.
If you donât find your group, it might be a group created in Google Groups, which can't be used as an access group.
- On the right, point at the row for the service and click Turn On.
To later turn off the service for this group, click Unset.
Tip: To set multiple services, check the box for each service and click On in the upper right.
Changes can take up to 24 hours but typically happen more quickly. Learn more
Verify your settings
To make sure your access groups are working as intended, check service status based on a user, a service, or your access group.
Expand section | Collapse all & go to top
Verify a user's service accessCheck a user's accounts page to verify their services and group memberships.
Verify how organizational units and groups are configured for a particular service.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu Apps.
- Click the type of service: Google Workspace, Additional Google services, Web and mobile apps, or Google Workspace Marketplace apps.
- At the top left, click All users in this account.
- Find a service with the status of On for some. This status indicates that the service is turned on for an organizational unit or access group.
- Point at On for some and click View details.
- Review the service status for all groups and organizational units.
Check the status of all services for a particular organizational unit or group.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu Apps.
- Click Google Workspace or Additional Google services.
-
On the left, select the view.
View | Actions for the service | Status for the service |
---|---|---|
All users in this account |
Turn on for everyone or Turn off for everyone (this unsets all access groups) |
Status is based on groups and organizational units.
|
Groups |
On or Unset |
|
Organizational Units |
On or Off |
Status is based only on organizational units.
|
Edit access groups
Expand section | Collapse all & go to top
Turn off a service for an access groupOn this page, go to Step 4: Turn on the service.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu Apps.
- Click the type of service: Google Workspace, Additional Google services, Web and mobile apps, or Google Workspace Marketplace apps.
-
On the left, click All users in this account.
-
Point at a service and click More select Turn Off for everyone or Turn On for everyone.
- Turn Off for everyoneâUnsets access groups (no longer shown as On).
- Turn On for everyoneâNo change to access groups settings.
When you remove members from or delete an access group, the members no longer have access to services through that group.
Troubleshooting
Expand section | Collapse all & go to top
I donât see the access group on the apps page- The group might have been created in Google Groups and can't be used as an access group.
- Search for the group address rather than the group name.
- Try refreshing the apps page.
- Check that you have the Groups admin privilege.
- Check a userâs services and group membership.
- Check that the user has a license assigned for the service.
The service status shows whether service is on or off for the organizational unit. It doesnât indicate whether the organizational unit contains users in an access group. To check an access groupâs services settings, follow the first 4 steps in Step 4: Turn on the service.