Does Google limit admin roles?
230 views
Skip to first unread message
David Walton
Sep 23, 2022, 1:59:52 PM9/23/22
to GAM for Google Workspace
Is there a limit to how many users can have a particular admin role? I added 1000 users to an admin role, and noticed that the Google Workspace admin console started slowing down and delivering errors, and GAM stopped assigning users at around ~1000.
Is that because I added too many at once and overloaded the system, or because I hit a user cap?
Jay Lee
Sep 23, 2022, 2:04:17 PM9/23/22
to google-ap...@googlegroups.com
I'm scared to ask... why do you need 1,000 admins in your organization?
Jay Lee
On Fri, Sep 23, 2022 at 1:59 PM David Walton <david....@biola.edu> wrote:
Is there a limit to how many users can have a particular admin role? I added 1000 users to an admin role, and noticed that the Google Workspace admin console started slowing down and delivering errors, and GAM stopped assigning users at around ~1000.Is that because I added too many at once and overloaded the system, or because I hit a user cap?
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0297619d-d46c-402b-a8c3-5f1fc4fd4fb2n%40googlegroups.com.
Walter Moore
Sep 23, 2022, 2:18:12 PM9/23/22
to google-ap...@googlegroups.com
Are you confident that this many users need admin privileges? Are you administering hundreds of sub-domains?
On Fri, Sep 23, 2022 at 1:59 PM David Walton <david....@biola.edu> wrote:
Is there a limit to how many users can have a particular admin role? I added 1000 users to an admin role, and noticed that the Google Workspace admin console started slowing down and delivering errors, and GAM stopped assigning users at around ~1000.Is that because I added too many at once and overloaded the system, or because I hit a user cap?
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0297619d-d46c-402b-a8c3-5f1fc4fd4fb2n%40googlegroups.com.
+-----------------------------------------------------------------+
Walter R. Moore -- Sr. Systems Administrator, Eckerd College
Walter R. Moore -- Sr. Systems Administrator, Eckerd College
"It was glorious to see -- if your heart were iron,
And you could keep from grieving at all the pain" - The Iliad (13.355)
***Reminder! ITS will never ask you to e-mail your password!***
And you could keep from grieving at all the pain" - The Iliad (13.355)
***Reminder! ITS will never ask you to e-mail your password!***
David Walton
Sep 26, 2022, 2:46:04 PM9/26/22
to google-ap...@googlegroups.com
We are hoping to allow hundreds of users to migrate My Drive data to shared drives. We created an admin role with the sole privilege of "move folders to shared drives," and have been testing it for some time. Obviously our help desk cannot perform password resets or 2SV recovery for these users, but we have workarounds for that.
Our goal is to give all employees of a certain type (~1000 users) this admin role during a concerted effort towards shared drive migration, and then remove the role.
Jay or Walter, do you see any other issues with this plan?
P.S. I know that Google encounters various errors when migrating folders to shared drives (e.g. if any of the folder contents is owned by an outside org). We've captured as many of these errors as possible and created Tier 0 support documentation to help users during the migration process.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAK6HWAsArphWMfV-iLLWtLbQWmARZ7xA4fJhAiYucbxgBWm-ug%40mail.gmail.com.
David Walton
Information Security Analyst
Ross Scroggs
Sep 26, 2022, 3:49:34 PM9/26/22
to google-ap...@googlegroups.com
David,
You could make two roles: MoveToSharedDriveAL and MoveToSharedDriveMZ; assign based on first letter of last name.
Ross
Ross
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGXmKnpdJBikrSvrXmOmYocO4j7Z8Y1R0yufZxA_fN4sMczj6Q%40mail.gmail.com.
Ross Scroggs
Ian Crew
Sep 26, 2022, 4:08:30 PM9/26/22
to GAM for G Suite
Hi David:
There are file permission issues you need to be aware of if you do this. Specifically, in the case of a folder containing items that the person who has this admin permission doesn’t have access to. So for example, if I had a folder called “Operations” with subfolders “Facilities” and “HR”. If the person you give the “move folders to shared drive” admin permission to has access to “Operations” and “Facilities” but not “HR” in MyDrive, if they move “Operations” to a Shared Drive, they (and all other members of the Shared Drive) will also get full access to “HR” in the Shared Drive, even though they couldn’t access it when it was in MyDrive. And due to the “waterfall permissions” model of Shared Drives, there’s no easy way to re-revoke access to the “HR” folder once it’s been moved.
It’s really critical that both the people being given this “move folders” permission as well as whatever policy/privacy/security folks you have, are aware of this potential issue.
Cheers,
Ian
At least for us, that’s a sensitive enough.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGXmKnpdJBikrSvrXmOmYocO4j7Z8Y1R0yufZxA_fN4sMczj6Q%40mail.gmail.com.
|
Ian Crew Solutions Architect Productivity & Collaboration Services Berkeley IT |
Ian Bevan
Sep 27, 2022, 4:52:18 AM9/27/22
to GAM for Google Workspace
David Walton
Sep 28, 2022, 11:44:36 AM9/28/22
to google-ap...@googlegroups.com
Thanks, Ian!
Yes, we're being quite vocal about how Shared Drive permissions work. Specifically, the language we're using is "Each member of a shared drive can see all the content within that shared drive." We've been working with departments to ensure that they have multiple shared drives to accommodate their various teams.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/07E24023-41D8-4CCB-8C0B-C497CF33297F%40berkeley.edu.
David Walton
Sep 28, 2022, 11:56:08 AM9/28/22
to google-ap...@googlegroups.com
Ian (Bevan).
Ah, this is helpful. Somehow I missed this. So only 500 admins can be assigned in a given OU. We have an /employees and a /faculty OU, and about 700 employees who would receive the admin role, so we'll need to come up with a solution.
Ross, that would explain why we had issues when we did this manually. It seemed to work, but the Google admin console went on the fritz every time we loaded the admin roles section with no error reporting or explanation of what was happening.
DisclaimerPlease help to protect the environment by not printing e-mails unnecessarily. The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/3f74d9c6-84e7-4f56-9ebb-324d6cdb37e9n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages