Best practice for role-based emails

[David Miles (Dir IT)]

I know this isn't quite the right place for this, but since this is a very G-Workspace focused group I am hoping you would have some useful insight. I hope what I'm asking makes sense.

Currently, every teacher gets an individual Gmail login, but we have role-based emails as well, and when that happens, we're converting their individual address to an alias.

The rationale behind this approach is that files shared with the HS Principal should be available to the HS Principal, whoever is in that role. This also helps keep mailing lists in order - rather than hunting through for which groups Joe Bloggs is in and replacing them with Jane Doe every time, we simply have the HS Principal address in each appropriate group - nothing to update.

It is not possible to use aliases to access & share documents - which is another reason for the approach we're using as it increases security. This has improved now that we have Shared Drives, I will admit, though people are still sharing important documents from their My Drives instead of the appropriate Shared Drive.

Thing is, when I read the Google help about emails and aliases, this isn't how they do it. See this example, for instance https://support.google.com/a/answer/33327?hl=en

What I'm trying to gauge is whether our approach is the best one, or whether it would be better to keep everyone on their individual emails and have their roles as aliases. I think we'd have to get a lot better with GAM to manage the security issue in that case.

In order to understand, I think it is worth knowing that the role-based emails are only used at the upper end of the leadership structure, and people tend to come into the school specifically for such a role. 

We don't have any policies in place about this stuff, so I'm trying to write them, which is why I'm asking this. I've also got to create some new role-based addresses for current and incoming staff, so if a change is recommended, I'd like to consider it (though there's a good chance it's too late!)

Appreciative of any input you can provide, and once again I do apologise for not asking a strictly GAM-related question in this forum

David

[Gabriel Clifton]

We do not use aliases here, rather we use groups, even if there is only one person in the group. This makes it easier for us to assign roles and permissions since we do not have to look up everywhere our high school principal had permissions or roles assigned to them. Instead, assign person X to this group, assign that group permissions and sleep better knowing we didn't forget anything.

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/9ce63224-08ea-4b47-bf2f-6c3823109e52n%40googlegroups.com.

--

Gabriel Clifton | Network Administrator

Fort Stockton ISD | Technology Center
gabriel...@fsisd.net | http://www.fsisd.net
Office (432) 336-4055 ext 2

Fax (432) 336-4050
1204 W. Second St., Fort Stockton, TX 79735

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

"You must always be willing to work without applause."
— Ernest Hemingway

"You just have to find that thing that's special about you that distinguishes you from all the others, and through true talent, hard work, and passion, anything can happen."
— Dr. Dre

[David Miles (Dir IT)]

That sounds like a great solution. I'm thinking about sharing of documents, does this mean people share them with the HS Principal as opposed to Joe Bloggs - in that case? Or have you successfully stopped people sharing from My Drive so everything is in Shared and that way the rights are all correct?

[Ian Bevan]

We have a similar solution to Gabriel.

User>ROLE>RESOURCE

The user is a member of a ROLE GROUP

The ROLE GROUP is assigned the RESOURCE GROUP

RESOURCE GROUP could be assigned permissions to a Shared Drive, Print Account etc.

When the User is replaced the replacement user is added to the ROLE GROUP and instantly the RESOURCES are available to them. We no longer need to see what the user had access to and match it to the new user.
As Gabriel states, we have ROLE GROUPS with only a single user in but that ROLE GROUP might be assigned RESOURCE GROUPS that many others also have access to.

[David Miles (Dir IT)]

That's really helpful. Is this by any chance taking advantage of the additional Group option I saw - not the mailing groups but the groups which come up as an option in the OU screen?

David Miles Director of IT Integration Director of Studies t: 2137 5133 | f: 2137 2387     The International School of Choice, celebrating diversity, empowering and inspiring future generations.

Disclaimer

Please help to protect the environment by not printing e-mails unnecessarily. The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

--
You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/pf-qKews608/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/33ec0e07-2c38-4a2c-aae0-80fb9819fd3en%40googlegroups.com.

[Ian Bevan]

If by that you mean when assigning items from Google, then there are situations where permissions to Apps or Services could be assigned to the RES groups.

We have a need to allow a group of senior students to be able to access delegated mail accounts for peer support.

We removed Delegation for all students, but now with the RES group we can choose who can have permissions for Delegation without the need to build a new OU and move them into that OU, then rebuild all of the other permissions that their previous OU would have had.

We're still a Hybrid environment, so all of our USER>ROLE>RES groups are managed in Active Directory, then we have a Powershell script that runs a few times during the day that will then sync the users into the RES groups. Whilst in AD we still maintain the USER>ROLE>RES setup, in reality after PSGSuite has run, it will put the users directly into the RES group in Google leaving us with USER>RES situation.

[David Miles]

Thank you both for your input. I'm experimenting here with this approach, with the goal of changing current behaviours only where necessary. I've got lots of the configuration sorted out but there's (currently) one annoyance I can't resolve

I'm trying to implement ROLE groups for both communications & rights management. I've got things organised so I can send from Gmail as the ROLE, but that message only appears in the Group inbox if someone replies to it.

Am I missing something?