is it possible to audit google groups mails?
I would like to know when the last time someone write to a google group.
Email Log Search is nice but i cant find this in any Google API. Or something like Account Activity for Google Groups.
Regards
If you're referring to tracking of changes to groups, group memberships and group messages within your domain and troubleshoot when users within your domain notice discrepancies and unexpected changes to their groups activities, please check further in Groups audit log.
Please note, however, that groups audit log is only for the Google Groups interface and it logs both user and admin actions executed using the interface. As stated further in Groups audit log, Google Groups actions performed by administrators using the admin console or the Admin SDK directory API are logged in the Admin Console general logs.
Related
In Google Workspace admin console, we can configure SSO for applications, and assign user groups to the application.
The group assignment can be checked using the following way:
https://support.google.com/a/answer/9050643?hl=en#step5&zippy=%2Csee-the-services-and-organizational-units-for-access-groups%2Cstep-check-service-access
Is there any api to retrieve this group assginment information?
I don't see any in Google Workspace Admin API.
Answer:
There's currently no API in Admin SDK that will retrieve this information.
Feature request:
If you're interested in this feature, I'd suggest you to request it on Issue Tracker using this template.
How to pull the list of IAM users from google cloud along with their last activity??
Tried "gcloud projects get-iam-policy"
but it gives only list of iam users/members but not their last activity
Ok, if it's for company, you have this information in the Google Cloud Identity platform. You can log in here: https://admin.google.com
Go to users and boom
Of course you can request these values by API with the admin sdk
It works only for managed accounts. If you have unmanaged account (in gmail.com or from another company) you don't have access to this information.
EDIT 1
To track the service account activity, you can rely on the documentation. Cloud Monitoring allow you to do that. If you need to export the data to BigQuery for analytics for example, let me know I could help on that.
To know the privilege that the users have, you can rely on the Asset Inventory, and especially on the IAM search policy feature.
I'm creating a group for the organization from IAM & Admin. There is a "Group email address" input box, but I don't know what kind of email address they are asking for. Should I put a group email address that already being used? Or is this for the new email address that GCP will create? If so, when and how can I use this new email address?
Let me summarize our discussion at the comment section. Let's start with IAM Overview where at the section Google group you can see:
A Google group is a named collection of Google Accounts and service accounts. Every Google group has a unique email address that's associated with the group. You can find the email address that's associated with a Google group by clicking About on the homepage of any Google group. For more information about Google Groups, see the Google Groups homepage.
Google Groups are a convenient way to apply an access policy to a collection of users. You can grant and change access controls for a whole group at once instead of granting or changing access controls one at a time for individual users or service accounts. You can also easily add members to and remove members from a Google group instead of updating an IAM policy to add or remove users.
More information you can find at the documentation page Managing groups in the Cloud Console, for example instructions how to create, edit or delete a group.
Group email address is a unique identifier in form of the email address, similar concept you can see for a service account such as sa-name#project-id.iam.gserviceaccount.com.
I am trying to set up access control using google groups instead since our team is getting larger. I have created a group in Google group admin and added given that group access to our GCP project, but the members of the group doesn't see the GCP project in the list of available groups.
Am I missing something?
According to the doc: https://cloud.google.com/iam/docs/overview it should be possible to do exactly what I am doing.
Reference:
https://cloud.google.com/iam/docs/overview
enter link description here
We can create Group in google account through administrator account
I have successfully added a User to a Group using the WSO2 SCIM apis. Now I have to remove the User from the Group and I was not able to find any apis that support this. Can it be done and if so what is the best way?
You should be able to GET the group and update (PUT) it with that specific user removed.
When you GET role, it should have all members. Then remove the user you want to remove, and send a PUT request to that group.
Please refer the Delete User section of SCIM APIs documentation.
Similarly, you can manage groups by performing CRUD operations on the Group resource endpoint.