Can I use Google Workspace Groups to control access to accounts?

Yes, designate a Directory Admin for your domain. That person can authorize read-only access to the Google Workspace Groups and Group members of your domain.

Then you can designate a Group as the account owner. For example, the cameras for Camio's own San Mateo office are associated with the group sanmateo@camio.com, and all members of that Group are considered Guests with Can View permission:

Screen_Shot_2019-06-17_at_3.35.40_PM.png

Group members with the roles of Manager or Owner (instead of just Member) have Can Manage permission.

Prerequisites

Camio looks up Group membership using the Google Workspace Admin API. So the only prerequisite is to ensure that the API is enabled by your G Suite Domain Administrator.

  1. Enable the Google Workspace Admin API, if not already enabled
    (see https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites.html#set_up_api)

Authorize read-only access to Groups

To enable Camio to read your domain's Groups:

  1. Contact us to assign your Domain Admin, then open the page:
    https://camio.com/domains

  2. Press Find after entering your domain and then assign the Directory Admin, who is the person with permission to grant read-only access to your domain's Groups and Group membership.
    Screen_Shot_2019-06-17_at_3.38.09_PM.png
  3. Ask the newly designated Directory Admin to:
    1. Sign in with Google, where the email address associated with the Directory Admin's Google account matches the email entered as your domain's Directory Admin.
    2. Press the Authorize button shown on that same https://camio.com/domains page. The Authorize button opens this link to grant read-only access to Groups:
      https://camio.com/google/oauth2
      Screen_Shot_2019-06-13_at_4.33.28_PM.png
  4. Verify that you can now see your G Suite Group memberships as JSON output at:
    https://camio.com/api/users/me/groups

  5. Register each Box to its Group account owner.

 

When the account is a Group from your Directory, the /guests page excludes the ability to add/remove Guests. And the permissions Can View and Can Manage are instead controlled by whether the user's Group membership role is MEMBER or MANAGER/OWNER respectively.

 


NOTE: the read-only permission granted by your Directory Admin is used to lookup the Group memberships to know whether a person has access to view recorded video. So if the Directory Admin user ever changes, it's important that the new Directory Admin re-authorize the read-only access to Groups in step 3 above.

NOTE: To reduce high frequency API calls to Google Workspace Directory API for things like websocket notifications of new Events for Event Streaming, the list of members of a Group is cached for 20 minutes. So when you make changes to the members of Google Group, you can either force an immediate sync on the /guests page or ask the end user to sync using the refresh button next to "Accounts" on the Search Panel.

 

Have more questions? Submit a request

Comments