can external users act as google workspace group owners? - google-workspace

I have a group in my google workspace that has mostly external users.
The groups control panel allows me to make some of these external users owners of the group.
However, I cannot figure out how a given external user, with ownership permissions, actually administers the group.
If the external user / owner visits https://groups.google.com/a/the-domain-name/g/the-group-name/ they just get a "content unavailable" message.
Also, the google workspace group for which they are an owner does not show up in the "my groups" list at groups.google.com.
Does anyone know if having external users do google workspace group administration is actually possible?
Thanks.

I had the same issue and fixed it by changing the Sharing settings on our Google Workspace account.
In the Admin Console go to:
"Apps"
"Google Workspace"
"Groups for Business"
"Sharing settings"
And then choose "Public on the internet" under the section
"Accessing groups from outside this organization".
Also make sure to enable "Group owners can allow external members".
See an example of how I set up our sharing settings here
Hope it works for you!

It is possible. I did a test with my own Google Workspace and made my gmail.com account an owner of the group. The group appears in the list at groups.google.com and the external account has the same access as the GW user to manage all the group settings.

Related

Google Groups do not show up in "All Groups" for new Google Groups UI

As we have been a long time Google Workspace user (Google Apps for Work > G Suite), some groups have been created before the new Groups UI update.
As such, we realise some of our old Groups email do not appear under "All Groups", which were found within admin.google.com.
groups.google.com/all-groups
Based on Google Support's help link, the answer wasn't exactly clear.
https://support.google.com/a/answer/167429?hl=en
https://support.google.com/a/users/answer/167427?visit_id=637728860005296389-3531870159&rd=1
We weren't able to find out how to save the right Group settings.
Maybe it took some time to take effect, but we changed the setting for "Who can see group" to "Organization members" and the group appeared in "All Groups".

Azure DevOps group rule to add everyone as readers

I would like to allow all members of the organization in Azure DevOps to view all projects (become Readers).
I tried to set up a group rule on the organization settings page.
Group: "Project Collection Valid Users"
Access level: Stakeholder
Projects: Selected them all, and picked Readers for each one.
After that I clicked on Add.
Now, when I try to view the rule I just made with "Manage rule", the project settings have been cleared.
If I select the projects again, and pick Readers, then save, the same thing happens.
Why do the settings disappear?
Also, if I do "Re-evaluate Rules", it runs for a bit. But none of the existing users regardless of their Access level have gotten Reader access to any project.
However, using "Manage user" -> Group rules, the group rule is listed.
So the group rule is applied but the project settings are not working for some reason? How do I fix this?
I chose a different group from AD instead of "Project Collection Valid Users" and now it seems to work as expected.
Using "Project Collection Valid Users" in this context seems to bring some bugs or unexpected behaviour.

Azure DevOps Shared Query permission not inheriting from Project Administrator Group

I am in the project administrator group, since we have a requirement to set the shared query to read-only to Contributors, I toggled the permission for Contributors to Deny except for "Read"
When I try to create new shared query, it says:
TF401256: You do not have Write permission for query Shared Queries.
I clicked on the three dots and bring up the "Permission for Shared Queries" menu, searched my name and a few other people in the Project Administrator Group or Project Collection Administrator Group, it shows all "Deny" permission except for the "Read" for all of us.
When I hover over, it says our permission is being inherited through the {project}\Contributors, but we are in the Administrator group.
Why is that and How can I fix it? I cannot even overwrite the permission. It is stuck at being inherited from the Contributor group.
enter image description here
It seems you are in a different group(project administrator group and Contributors), check this doc:
In the Azure DevOps, for most groups and almost all permissions, Deny overrides Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user is not able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
This is why you get the error message. You could open project settings->Permissions->Search the permission group {project}\Contributors->click the tab Members and remove your account. Then you could create new shared query
Update1
Steps:
Open project settings->Teams->select the team->click the tab Settings->add Administrator, then we could move our account.
link to MS forum for this issue (or similar posted by other people):
https://developercommunity2.visualstudio.com/t/Project-administrator-cannot-save-shared/1339863
It just doesn't sound right to me that in order to have admin permission you cannot be in any team. That maybe workable for a test account but for an organization this workaround or restriction could mess things up a lot.

How to add an Owner to Registered Application in Azure AD

We have a "Registered Application" in our Azure Active Directory, however, the old owner has been deleted from our account (he left the company).
Unfortunately, we can't restore the user, and no one in the company can manage the application because it doesn't have an owner anymore.
Although we can see the application in "Enterprise Applications", we can't see it in "App Registrations", and we can't add new keys, etc.
Is there a way, through Powershell, or any other interface, to add a new owner to this application so that we can use it again?
After a discussion in the comments, we discovered the app is actually a multi-tenant app registered in another directory.
That's why it only showed up under Enterprise applications.
When you enable a multi-tenant application in a directory,
a Service Principal (Enterprise application) is created in there.
The Application (where owners are registered) remains in the original directory where it was registered.
If you are a Global Admin, you can see the app.
You need to make sure you select All apps on the App registrations tab.
As an alternative, you can add an owner by using Azure AD PowerShell cmdlets: https://www.powershellgallery.com/packages/AzureAD/2.0.1.3
Connect-AzureAD
Add-AzureADApplicationOwner -ObjectId 3ddd22e7-a150-4bb3-b100-e410dea1cb84 -RefObjectId c13dd34a-492b-4561-b171-40fcce2916c5
ObjectId should be the object id of the application, you can get it by listing the applications with Get-AzureADApplication.
The second parameter, RefObjectId should be the object id of the user you want to add.
You should be able to get that from the portal, or with Get-AzureADUser.
Since you are a Global Admin you can go through the portal to assign a new owner to the application.
Here are steps to do so via this documentation https://aka.ms/Lcdcm6
Open the Azure Active Directory Extension by clicking All services at the top of the main left hand navigation menu.
Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.
Click Enterprise Applications from the Azure Active Directory left hand navigation menu.
Click All Applications to view a list of all your applications.
-If you do not see the application you want show up here, use the Filter control at the top of the All Applications List and set the Show option to All Applications.
Select the application you want to assign a user to from the list.
Once the application loads, click Users and Groups from the application’s left hand navigation menu.
Click the Add button on top of the Users and Groups list to open the Add Assignment pane.
Click the Users and Groups selector from the Add Assignment pane.
Type in the full name or email address of the user you are interested in assigning into the Search by name or email address search box.
Hover over the user in the list to reveal a checkbox. Click the checkbox next to the user’s profile photo or logo to add your user to the Selected list.
Hope this helps.

GitHub: how do I make a user an admin of an organization?

I need to transfer a repository from a user account to an organization the user is a member of. Per GitHUb's docs, I need to make the user account an admin of the organization first.
GitHub's docs describe the different levels of access to an organization, but I can't find out how to actually change a user's level of access to an organisation.
How can I make the organization member an admin?
Access levels in GitHub are configured per Team inside the Organization.
Log into GitHub.
Switch your account context to the organization using the dropdown near the top-left of the screen:
Click on "View organization":
Click the Teams tab in the top navigation bar:
Decide whether you want to change the permissions of an existing team (and all of its members) or to create a new team for a single user.
If you are modifying an existing Team,
click on the Team name,
then click the gear icon at the top right,
then change the Team's access to Admin and
click Update.
If you are creating a new Team,
click the New Team button,
give the Team an appropriate name,
set its access to Admin and
click Create Team.
Team memberships have somewhat limited permissions scopes to individually named repositories.
If you want to set someone as an admin for the entire organization:
Navigate to the Organization > People
Identify the member you want to update and click on the settings cog
Set role to Owner
Update 2022: GitHub entitlements can help you define an IAM (Identity and Access Management) complete with audits.
2017: Note that since June 2017, you can apply an Admin access right to a sub-team (instead of one giant unique team as before)
See "Nested teams add depth to your team structure":
Child teams inherit their parent's access permissions, so repository permissions and #mentioning among nested teams work from top to bottom.
If your team structure is Employees > Engineering > Application Engineering > Identity, granting Engineering write access to a repository means Application Engineering and Identity also get that access.
So that is another way to assign a user admin right: make him/her part of a sub-sub team called "admins" within an organization.
Official GitHub Documentation: Nested Teams.