By default, Google Groups are set to private; there have been a small number of instances, however, where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings. That’s why it’s important to understand how you can tailor the privacy configurations of Google Groups to align with your organization’s policies. Details of how to do this are part of our comprehensive security best practices for G Suite, which we’ve discussed in previous blog posts.
Default protections against accidental misconfigurations
To help prevent data from being accidentally shared, by default Google Groups’ sharing settings are set to best protect privacy:
- Viewing groups: By default, no one outside your domain can view or search groups in your domain.
- Posting to groups: By default, no one outside your domain can post to your groups.
- Joining groups: By default, no one outside your domain can become a group member.
- Creating groups: By default, only those within your domain can create groups.
G Suite admins can adjust each of these default settings individually. They can review and update the sharing permissions for their domains from the Admin console, while end users can review and update Google Groups permissions in group settings. Admins can also manage groups using the Directory API, and group settings can be managed using the Groups Settings API.
Viewing groups: configuring settings at the domain level
Admins can control who can view groups at the domain level, under “access to groups.” There are two options:
- Private, the default setting, means no one outside of your domain can access your groups, and your users and domain admins do not have the ability to create public groups.
- Public on the Internet means users can create public groups, and individuals outside your domain can access content discussed in these groups.
You should carefully consider whether to change the access to groups from Private to Public on the Internet. If you give your users the ability to create public groups, you can always change the domain-level setting back to private. This will prevent anyone outside of your domain from accessing any of your groups, including any groups previously set to public by your users.
Viewing groups: configuring the default view for new groups
Even if you turn on the ability to create public groups, all new groups will be private by default and users will need to proactively change individual group settings to make them public. As an admin, you can change this default setting so that view access for new groups is limited to all members of your domain or a subset of group members.
We recommend you choose the setting that makes the most sense based on how your organization uses Google Groups. Remember, this is the default setting for new groups—group owners can still change settings at the group level (although if admins set “access to groups” to private, users won’t be able to allow anyone on the internet to view the group).
Posting to groups: configuring who can contact group members
By default, external users cannot post to groups. In some instances, however, you may want external individuals to be able to contact a group—for example, when handling incoming sales or support requests. This can be done without making the ability to view topics in a group public.
As an admin, you can allow posts from outside your domain to specific groups within the settings for that individual group (by selecting “Public” under Post). This setting applies regardless of whether group topics are set to public or private.
As an admin, you can also give group owners the ability to authorize external posts via the Admin console setting under “Member & email access.”
Joining groups: configuring group membership
By default, only users in the group’s domain can be group members. Admins, however, can add external members directly to groups, and they can also enable group owners to add external members—for example, if they need to communicate with a vendor organization. Admins can also to add external members regardless of the status of the setting.
Creating groups: configuring who can create new groups
As an admin, you can also decide who can create groups within your organization. By default, anyone in your domain can create groups.
If you allow users in your domain create public Google Groups and give anyone in your domain the ability to create groups, you’re trusting your users to manage their settings and use these groups appropriately. It’s worth carefully considering whether this configuration makes the most sense for your organization.