Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

User Groups for G Suite Organization Units and Groups

  1. Last updated
  2. Save as PDF

You can create user groups representing different organizational units in your G Suite for Business account. 

Prerequisites

Before you begin, make sure you've done the following:

  • Enable API access for G Suite. Configure Skyhigh Security Skyhigh CASB to access G Suite using APIs by following the steps in Configure Google Drive.
  • Define custom sanctioned attributes. Contact Skyhigh CASB Support to configure custom sanctioned attributes for your tenant mapping to the following attribute keys:
    • gsuite_domainname
    • For G Suite Organization Units: gsuite_orgunitpath
    • For G Suite Groups: gsuite_grouppath

NOTE: These attribute keys are automatically populated when you enable API access for G Suite. 

Create User Groups

Follow the steps in Create a DLP User Group to create user groups that represent organizational units in your G Suite enterprise account by defining user criteria with the custom attributes created by Skyhigh CASB Support.

For example, if the custom attribute GSuiteOrg is defined and maps to the key gsuite_orgunitpath, and if you have an organizational unit named "hr" in your G Suite for Business account, you can create a user group that represents all users under "hr".

Screenshot (167).png

Add User Groups to DLP Policies

To add the user groups defined previously to the DLP policies, see Include or Exclude a User Group from a DLP Policy

This will enforce policies based on the G Suite organization unit a user belongs to.

G Suite and Skyhigh Security Sync

Skyhigh CASB runs periodic sync jobs with G Suite to populate Organization Unit (OU) and Google Groups information for all users in the G Suite enterprise account. This information is used to define user groups, which can be attached to DLP policies.

Organization Units

When does the sync happen? 

  • During the first full sync job that is run to go through all users and populate OU information for every user.
  • Every 24 hours, another periodic sync job is run to scan all users and update OU information based on changes made in G Suite.

The following changes in G Suite OUs (and users) are supported:

  • Add a user to an existing OU.
  • Move a user from one OU to another OU.
  • Remove the user from an OU.
  • Delete the OU.

Groups

Unlike OUs, it is not possible to run a periodic job to sync Group information every few hours, due to the number of API calls required to expand groups (and any nested groups), due to the potentially high number of groups present in the G Suite environment of a large organization. So, the Group information is populated during the first full sync job for all users. From that time onward, various events related to Groups are monitored to remove, update, or add information to user groups data stored in Skyhigh CASB.

When does the sync happen?

  • During the first full sync job that is run to go through all users and populate groups information for every user.
  • Every time a change related to groups is performed (see list of events below).

What changes/events in G Suite groups are monitored?

  • Add a user to a group
  • Remove a user from a group
  • Rename a group

NOTE: When a new group is created, this group is synced to Skyhigh CASB's local repository only when at least one user is added to the group. In other words, empty groups are not synced.

Known Issues

The Delete Group event does not result in user groups data being updated in Skyhigh CASB. This is due to an API limitation from Google. 

Other Events

Apart from the events listed above for OUs and Groups, other generic events related to users such as Delete user from G Suite and Rename user are also monitored to regularly update the user groups data in Skyhigh CASB. 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. Google