Within the scope of Identity & Access Management (IAM
), it is essential for Google Workspace admins not only to define access permissions for individuals within the organisation but also for external ones. Often, it is necessary for a smooth collaboration to provide external individuals such as freelancers, consultants, or partners with their own accounts within the organisation.
However, in most cases, they should not have full access to internal information. In this blog post, we will introduce you to ways in which you can grant or restrict access for external individuals in the Google Workspace Admin Console. Additionally, we will share best practices for implementation.
Generally, there are 2 ways you can go about this:
- Add external users to your own domain.
- Create a separate domain for external users.
Both ways offer both advantages and disadvantages.
#1. Adding external people to your own domain
Pros:
- Reduced administrative effort as you can manage all settings through a single admin console.
- Simpler resource booking.
Cons:
- There is no clear separation between internal and external users.
- Initial sharing changes may be required if files have been shared organisation-wide but should not be shared with external users.
- Calendar information can only be hidden from external users through a workaround (see point 4 in Best Practices below).
Best Practices:
- Assign an email suffix like klaus.mustermann.external@domain.com or klaus.mustermann@ext.domain.com.
- Create a separate organisational unit specifically for external users and move the relevant users there.
- Shared Drive:
- Create target audiences (e.g., Internal and External).
- Enable access checks for target audiences to avoid overly generous sharing (under Apps > Google Workspace > Drive and Docs > Sharing settings)
- Customise calendar shares to prevent external users from accessing internal employees' calendars. To do this:
- Users must restrict their own calendars (no longer share with the entire organisation).
- Calendar should be shared to a group where internal users are in. (a and b can be found in Calendar Settings > Access Permissions).
#2. Adding external users to a separate domain
Pros:
- There is a completely visible separation of the organisation.
- You don't need to change sharing policies for organisation-wide data.
- Calendars of internal staff are not visible to external users by default.
Cons:
- It increases administrative overhead because there are two different admin consoles.
- Shared resource booking is more complex.
Best Practices:
- If you want to share calendars, you have to do it manually via the share menu
- Assign an email suffix to external users, such as klaus.mustermann@ext.domain.com.
- If you do not want to completely share documents externally, it is best to create the primary domain as an Allowlist.
Conclusion
Ultimately, every organisation must determine its preferred sharing settings. While including external individuals in your own organisation might reduce administrative tasks, opting for a separate domain can offer advantages, especially if you have stringent security requirements.
Do you have questions or concerns about Permissions?
As an experienced Google Cloud Premier Partner and MSP, we're here to answer all your queries with expert advice, and support you in implementing and optimising Google Workspace efficiently. Our customers also enjoy complimentary admin support. Feel free to contact us!