You can create user groups representing different organizational units in your G Suite for Business account.
Before you begin, make sure you've done the following:
- Enable API access for G Suite. Configure McAfee Enterprise MVISION Cloud to access G Suite using APIs by following the steps in Configure Google Drive.
- Define custom sanctioned attributes. Contact MVISION Cloud Support to configure custom sanctioned attributes for your tenant mapping to the following attribute keys:
- For G Suite Organization Units: gsuite_orgunitpath
- For G Suite Groups: gsuite_grouppath
NOTE: These attribute keys are automatically populated when you enable API access for G Suite.
Create User Groups
Follow the steps in Create a DLP User Group to create user groups that represent organizational units in your G Suite enterprise account by defining user criteria with the custom attributes created by MVISION Cloud Support.
For example, if the custom attribute GSuiteOrg is defined and maps to the key gsuite_orgunitpath, and if you have an organizational unit named "hr" in your G Suite for Business account, you can create a user group that represents all users under "hr".
Add User Groups to DLP Policies
To add the user groups defined previously to the DLP policies, see Include or Exclude a User Group from a DLP Policy.
This will enforce policies based on the G Suite organization unit a user belongs to.
G Suite and McAfee Sync
MVISION Cloud runs periodic sync jobs with G Suite to populate Organization Unit (OU) and Google Groups information for all users in the G Suite enterprise account. This information is used to define user groups, which can be attached to DLP policies.
When does the sync happen?
- During the first full sync job that is run to go through all users and populate OU information for every user.
- Every 24 hours, another periodic sync job is run to scan all users and update OU information based on changes made in G Suite.
The following changes in G Suite OUs (and users) are supported:
- Add a user to an existing OU.
- Move a user from one OU to another OU.
- Remove the user from an OU.
- Delete the OU.
Unlike OUs, it is not possible to run a periodic job to sync Group information every few hours, due to the number of API calls required to expand groups (and any nested groups), due to the potentially high number of groups present in the G Suite environment of a large organization. So, the Group information is populated during the first full sync job for all users. From that time onward, various events related to Groups are monitored to remove, update, or add information to user groups data stored in MVISION Cloud.
When does the sync happen?
- During the first full sync job that is run to go through all users and populate groups information for every user.
- Every time a change related to groups is performed (see list of events below).
What changes/events in G Suite groups are monitored?
- Add a user to a group
- Remove a user from a group
- Rename a group
NOTE: When a new group is created, this group is synced to MVISION Cloud's local repository only when at least one user is added to the group. In other words, empty groups are not synced.
The Delete Group event does not result in user groups data being updated in MVISION Cloud. This is due to an API limitation from Google.
Apart from the events listed above for OUs and Groups, other generic events related to users such as Delete user from G Suite and Rename user are also monitored to regularly update the user groups data in MVISION Cloud.