Group acces for some organizations

326 views
Skip to first unread message

Manuel Almonacid Navarro

unread,
Mar 6, 2018, 7:21:56 AM3/6/18
to GAM for G Suite
Good morning.
I manage GSuite accounts in a highschool in Spain. We have a teachers organization and a students organization and I'm trying to create mail groups which are avaliable only for teachers' one.
I supose the command for getting it is who_can_view_group, but the parameters are: all_in_domain_can_view | all_managers_can_view | all_members_can_view or anyone_can_view. None of them allows to specify which organization can view.
Does anybody know if there's any way to get it?
Thanks.
Manuel.

Ross Scroggs

unread,
Mar 6, 2018, 11:18:24 AM3/6/18
to google-ap...@googlegroups.com
Manuel,

There is no support for what you want.

Ross

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/3d4c1690-61b3-43e8-a84d-76e28ba4a8ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Jay Lee

unread,
Mar 6, 2018, 11:28:59 AM3/6/18
to google-ap...@googlegroups.com
Are you concerned with who can view the groups (in the groups UI) or are you concerned with who can SEND mail to the groups?

Jay


On Tue, Mar 6, 2018 at 11:18 AM Ross Scroggs <ross.s...@gmail.com> wrote:
Manuel,

There is no support for what you want.

Ross
On Tue, Mar 6, 2018 at 4:07 AM, Manuel Almonacid Navarro <man...@iesjuniper.com> wrote:
Good morning.
I manage GSuite accounts in a highschool in Spain. We have a teachers organization and a students organization and I'm trying to create mail groups which are avaliable only for teachers' one.
I supose the command for getting it is who_can_view_group, but the parameters are: all_in_domain_can_view | all_managers_can_view | all_members_can_view or anyone_can_view. None of them allows to specify which organization can view.
Does anybody know if there's any way to get it?
Thanks.
Manuel.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/3d4c1690-61b3-43e8-a84d-76e28ba4a8ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS9He7T_3Pk6qemW%3DSE42ag6vnMOMLF2rxzbC5NFA2EDcw%40mail.gmail.com.

+KimNilsson

unread,
Mar 7, 2018, 10:52:01 AM3/7/18
to GAM for G Suite
Hey, Manuel!

The one you are looking for is all_members_can_view.
And then you make sure that you don't put students as members of the groups you don't want them to view (which also means receive emails from).

Manuel Almonacid Navarro

unread,
Mar 8, 2018, 2:30:36 AM3/8/18
to GAM for G Suite
Thanks for your reply Jay.
Teachers should be able to view all groups in the domain and send them mails, whether they are members or not, but students shouldn't do that.
Manuel

Manuel Almonacid Navarro

unread,
Mar 8, 2018, 2:34:16 AM3/8/18
to GAM for G Suite
Thanks for your reply Kim.
We want teachers can view and post mails to all groups in the domain, whether they are members or not, but not the students. With  all_members_can_view teachers won't view students groups.
Manuel

Manuel Almonacid Navarro

unread,
Mar 8, 2018, 2:42:33 AM3/8/18
to GAM for G Suite
Thanks for your reply Ross.
I had a look at the API documentation you send me, but I didn't found anything about organizations. All options are about all members, all in domain or nobody. That's not what we need.
Manuel

Kim Nilsson

unread,
Mar 8, 2018, 6:11:55 AM3/8/18
to Google Apps Manager
Yes, but then you are out of luck. There are no such settings.
I see no reason why teachers should receive all emails sent to student groups. My teachers get enough emails as it is already.

Manuel Almonacid Navarro

unread,
Mar 8, 2018, 6:39:33 AM3/8/18
to GAM for G Suite
Ok, I think I was wrong. I mean that teachers must view group adresses at their contact list, not messages of these groups. We want to hide users directory and groups to students.
Sorry for my mistake, I'm spanish and my english isn't as good as I would like.
Thanks again.
Manuel

Kim Nilsson

unread,
Mar 8, 2018, 10:07:54 AM3/8/18
to Google Apps Manager
Ok, that's not possible.
Groups are either avilable in the Directory for everybody, or for nobody.

Jay Lee

unread,
Mar 8, 2018, 10:26:37 AM3/8/18
to google-ap...@googlegroups.com
So there's no way to do this with GAM or the APIs. However the email routing rules included with G Suite are *extremely* powerful and would allow you to allow teachers to email groups while students could not (they'd send the email and get a rejection notice). Steps are pretty involved and I recommend plenty of testing in a sandbox domain or OU structure before deploying to your main environment (get this wrong and no one may be getting email).

The below is actually specific to preventing groups of students from emailing each other (e..g high school students should not be able to email lower school students to prevent bullying issues). However it can be adapted to teachers vs. students.

When you create the receive rule at the root OU, you'll have the option to apply it to groups at the very bottom under "Show options". There you can also bypass the rule for groups that students *should* be able to email.

Jay

Create sending rule

Create a sending rule to apply a header on internal messages that identify a person type (teacher, elementary student, high school student, etc.)

  • In your Google Admin console (at admin.google.com) go to Apps > G Suite > Gmail > Advanced settings.

  • On the left, select the organization for the users that you wish to apply the sending rule, such as High School Students.  

  • Scroll to the Content compliance setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.

  • Provide a description for the rule, such as “Mark all messages sent by High School Students with high-school header.”)

  • Under “1. Email messages to affect,” check the box for "Internal - sending" only.

  • Do not add any expressions under “2. Add expressions that describe the content you want to search for in each message.”

  • Under “3. If the above expressions match, do the following” choose “Modify message” in the dropdown.  

  • Under “Headers,” Check the box for “Add custom headers.

  • Next to “Custom headers” click “ADD.”

  • Under “Add header” enter “Person-Type” for Header key and a header name for Header value.  For example: X-Person-Type: high-school (or middle-school, elementary-school, teachers, etc).  Note “X-” is already prepended.

  • Click “Add Setting” to save the compliance setting

  • Click “Save” to save the advanced Gmail settings.  

  • Repeat the above process for additional organizations that you wish to prevent from sending messages to another organization, such as Middle School students.  



Create Receiving Rule

Create a receiving rule on organizations that should not receive from some other internal users

  • In your Google Admin console (at admin.google.com) go to Apps > G Suite > Gmail > Advanced settings.

  • On the left, select the organization for the users that you wish to apply the receiving rule, such Elementary School Students.  

  • Scroll to the Content compliance setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.

  • Provide a description for the rule, such as “Prevent Elementary School students from receiving email from messages with high-school and middle-school headers.”)

  • Under “1. Email messages to affect,” check the box for "Internal - receiving" only.

  • Under “2. Add expressions that describe the content you want to search for in each message” next to “No expressions added yet” click “Add.”

  • Under “Expressions” select “Advanced content match” in the dropdown menu.

  • Under “Location” select “Full headers.”

  • Under “Match type” select “Not matches regex.”

  • Under “Regexp” enter “^X-Person-Type: (high-school|middle-school)$” (without quotes).

  • Under “Regex Description” enter “Reject message if it is marked with high-school or middle-school.”

  • Click “Save” to save the expression.

  • Under “3. If the above expressions match, do the following” choose “Reject Message” from the dropdown menu.  

  • Under “Customize rejection notice” enter a good description for the sender to receive so that they understand why the message was returned to sender such as “This message has been rejected because your organization is not allowed to send email to the Elementary School Students organization.

  • Click “Add Setting” to save the compliance setting.

  • Click “Save” to save the advanced Gmail settings.  







On Thu, Mar 8, 2018 at 10:07 AM Kim Nilsson <there.is.no...@gmail.com> wrote:
Ok, that's not possible.
Groups are either avilable in the Directory for everybody, or for nobody.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFutGf0dNZRm9c%3DSF1oySJZS7JJiz5jr9OC_SFmCGnDO7A%40mail.gmail.com.

Kim Nilsson

unread,
Mar 8, 2018, 10:44:41 AM3/8/18
to Google Apps Manager
Wow, cool approach, Jay!

That way you can differentiate mail from any user in any OU, even if both email address syntax and domain are the same.
Thank you!

k.melillo

unread,
Mar 8, 2018, 10:58:29 AM3/8/18
to GAM for G Suite
Great idea, and explanation... I must now take this, and see what other email flows it can be used for.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

Manuel Almonacid Navarro

unread,
Mar 8, 2018, 1:36:59 PM3/8/18
to GAM for G Suite
Wow. It sounds great! I'm not at work right now, but I'll test it tomorrow. That's a fantastic solution that can be used for other purposes than mine.
Big thanks Jay, and thanks Kim for all your replies.
Manuel
Reply all
Reply to author
Forward
0 new messages