Google Workplace Organizational Units (OUs) according to Parks and Rec

Hannah Young
Hannah Young
.
January 27, 2023
5 min
 read

What are Google Workplace Organizational Units, and how do they work?

A Google Workplace Organizational Unit (OU) is a grouping of users a super administrator creates in the Google Admin console with a distinct set of access settings and permissions. Administrators can set up different organizational units and add users based on their job roles and the apps they need access to. Google OUs are a way of managing administrative information and tasks within Google tools and are used to create departments, teams, projects, and other organizations with a common purpose.

Ben Wyatt from the show Parks and Recreation pointing to a City of Pawnee Organizational Chart with the hierarchy displayed for the city government in a flow chart style. Parks and Recreation department is on the bottom and it includes other departments such as Sewage, Education, Library, Mayor’s Office, and more
Still from NBC sitcom Parks and Recreation

Those unfamiliar with Google OUs may have seen other organizational/hierarchical charts like the hard copy governmental organizational chart above. The primary benefit of using Google OUs is that, in addition to showing the layout of an organization as a traditional chart does, OUs also allow an administrator to efficiently assign specific access rights and privileges to users who belong to those org units.

Take, for instance, the chart above. The Education department/org unit may need access to Google Classroom, while the Parks and Recreation department/org unit does not. In a private company example, employees in a “Marketing — Digital” org unit could be granted access to Google Ads Manager on a company device, while members of the “Finance — Accounting” org unit could be restricted from sharing sensitive Google Drive files. This helps ensure that each OU has appropriate access levels without compromising overall security across the organization. Additionally, administrators can use org units to manage shared resources among teams; for example, by allocating shared cloud storage space among different departments.

What’s the difference between Google Organizational Units vs. Google Groups?

Chart showing an Organization and six different departments/organizational units (Marketing, HR, Sales, IT, Finance, and Test). It shows the group of people/ussers in each organizational unit (e.g. Finance) and says that each user can only be in one organizational unit. There’s a circle around one person from the IT organizational unit and one person from the Finance organizational unit titled Purchase Group to show that people from different organizational units can be a part of the same group.
Image by SysCloud

The most significant difference between Google OUs and Groups is that an Organizational Unit is tied to your organization’s structure and a Google (access) Group allows you to provision different access to users without adjusting your organizational hierarchy. Thus, while a user can only belong to a single OU, they can belong to multiple access groups. For example, while the four users shown below are a part of four respective Google OUs, they’re all able to be a part of the “Pawnee City Government” access group. We at Crosswire recommend using OUs for your broader organizational structure and access groups to administer more particular policies.

screenshot of a Google Group titled Pawnee City Government with users Tammy Swanson II, Leslie Knope, Joe Farmingham, and Marlene Griggs-Knope

How to create a new Google OU

To create a new OU in Google Workspace, you must log into your Google Admin console at admin.google.com. Once logged in, click on the dropdown for the Directory tab, which can be found on the left-hand side of the page. Then, navigate to Organizational units and click on the blue Create organizational unit phrase in the top right. You will then be prompted to enter a name and description for your new OU. After you have entered this information, click the Create button, and you’ve created your new group!

Different policies that can be enforced with Organizational Units

Context-Aware Access:

Context-Aware Access controls what apps users can access based on context, such as whether they’re using a company device or where they are. This allows you to create granular security policies based on attributes such as device security, identity, and IP address. To deploy Context-Aware Access, go to Security > Access and data control > Context-Aware Access and click Turn On. You can use Context-Aware Access for various enforcement tactics like IP address enforcement, device policy enforcement, and managed Chrome browser enforcement. For even more tips on Context-Aware Access, check out Google’s guide here.

💡 Note: When deploying Context-Aware Access, ensure you don’t deprovision users’ access to communication tools like Gmail or Google Chat so that they can communicate with you (and vice versa) no matter their context.

Service control (turn a service on or off for certain users):

The most straightforward way to turn a service on or off for a group of users is to control it by organizational unit. For example, you may need Google Earth turned on for the Education, Library, and Parks and Rec departments but not the Sewage department (or need Google Pay turned on for your Marketing team but not the rest of your company). You can find specific instructions for each app’s service control here, but in general, Apps > Additional Google services houses most Google Workspace apps. Here you can click on the app you wish to adjust permissions for and then click the Service Status to turn access on or off for each organizational unit (as shown below).

Screenshot showing the Settings for Google Earth under Service Status. The Service Status is turned on for users in Education

Tips to remember for using Google Workplace Org Units effectively

  • Create and leverage hierarchy structure appropriately (check out this Tech Funnel blog for more information on how to do this in general)
  • Keep in mind that a user can only be in one OU at a time, so you’ll need to think in terms of hierarchies very early on in order to set things up correctly
  • Google Groups are more flexible and easier for administering policies, so usually, you only want to use OUs as a tool for broad strokes organization
  • Be aware that Google Group maintenance gets unwieldy very quickly, and you’ll want to be clear on who’s responsible for the groups

For further guidance on securing your organization, reach out to us! You can stay up to date with / join Crosswire below.

More from our blog

How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read