Creating security groups

This page explains how to create security groups. You can create a new security group or update a Google group to a security group.

Before you begin

Perform the following tasks before proceeding with the information on this page:

Read the Groups API overview.
Set up the Groups API.

Security group requirements

Security groups can only contain the following:

Users inside or outside of your domain (while associated with a Google service)
Service accounts inside or outside of your domain
Security groups inside of your domain

You can't apply the security group label to a Google Group that doesn't meet these conditions.

Only predefined Super Admins or Groups Admins have the permissions to update security groups.

Creating a new security group

REST

To create a security group, call groups.create() with an instance of the new group. The group instance must include a groupKey, Parent, and labels set to cloudidentity.googleapis.com/groups.security and cloudidentity.googleapis.com/groups.discussion_forum

Python

The following example shows a helper function to create a Google Group using the Python client library:

def create_google_group(service, customer_id, group_id, group_display_name, group_description):
  group_key = {"id": group_id}
  group = {
    "parent": "customers/" + customer_id,
    "description": group_description,
    "displayName": group_display_name,
    "groupKey": group_key,
    # Set the label to specify creation of a Google Group.
    "labels": {
      "cloudidentity.googleapis.com/groups.security": "",
      "cloudidentity.googleapis.com/groups.discussion_forum": ""
    }
  }

  try:
    request = service.groups().create(body=group)
    request.uri += "&initialGroupConfig=WITH_INITIAL_OWNER"
    response = request.execute()
    print(response)
  except Exception as e:
    print(e)

Updating a Google Group to a security group

REST

To update a Google Group to a security group, call groups.patch() with updateMask set to cloudidentity.googleapis.com/groups.security and cloudidentity.googleapis.com/groups.discussion_forum.

Sample request body

{
  "labels": {
    "cloudidentity.googleapis.com/groups.security": "",
    "cloudidentity.googleapis.com/groups.discussion_forum": ""
  }
}

Python

The following example shows a helper function to update a Google Group to a security group using the Python client library:

def add_security_label_to_group(service, group_name):
  group = {
    "labels": {
      "cloudidentity.googleapis.com/groups.security": "",
      "cloudidentity.googleapis.com/groups.discussion_forum": ""
    }
  }
  try:
    request = service.groups().patch(name=group_name, body=group)
    request.uri = request.uri + '&updateMask=labels'
    response = request.execute()
    print(response)
  except Exception as e:
    print(e)