Users and Groups
Users and groups are a core part of identity and access management in Google Cloud. A well structured user and group model simplifies administration, improves security, and enables scalable access control across projects and environments.
This step builds on an existing Cloud Identity setup, completed domain verification, and a created Google Cloud organization.
Managed users in Google Cloud
Google Cloud uses Cloud Identity to centrally manage users and groups. Managed users are created and controlled within Cloud Identity and provide centralized security and administration capabilities.
Key benefits of managed users include:
- Centralized user lifecycle management
- Single sign on support
- Two step verification enforcement
- Audit and security reporting
- API based administration
User provisioning options
Users can be provisioned in Cloud Identity using multiple methods depending on organizational needs.
Manual creation
Administrators can create users directly from the Admin Console. This approach is simple but does not scale well for large organizations.
Bulk upload
Users can be created in bulk using a CSV file. This is useful for initial migrations or onboarding large teams.
Directory synchronization
For organizations using on premises LDAP or Active Directory, Google provides Google Cloud Directory Sync. This tool performs one way synchronization, keeping the external directory as the source of truth.
A cloud based Directory Sync service is also available, and third party identity providers such as Azure AD or Okta are supported.
Types of Google accounts
There are two main types of Google accounts that can exist in an organization.
Cloud Identity managed accounts
These accounts are created and controlled by the organization. They are governed by centralized policies and security controls defined in Cloud Identity.
Google consumer accounts
These are personal Google accounts created by individuals using a corporate email address. They are not controlled by the organization and should be avoided for enterprise environments.
Using Cloud Identity managed accounts is a best practice to ensure consistent security and administration.
Conflict accounts
Conflict accounts occur when a user already has a personal Google account with the same email address that the organization wants to manage.
These conflicts should be resolved before creating managed users. Resolution options include:
- Inviting users to transfer their account to a managed account
- Forcing the conflict, which requires the user to choose a new email address for their personal account
The Transfer Tool for unmanaged users, available in the Admin Console, helps identify and resolve these conflicts. It is recommended to communicate with users in advance before taking action.
Preventing future conflicts
Future conflict accounts can be prevented by:
- Proactively creating managed users in Cloud Identity
- Blocking Google consumer account verification emails at the email provider level
These steps ensure all users are created and managed centrally.
Admin groups and best practices
Groups are the foundation of scalable access control in Google Cloud. Instead of assigning permissions to individual users, roles should be assigned to groups and users added to those groups.
Google provides recommended admin groups that can be created using the Setup your Foundation workflow in the Google Cloud Console. Examples include:
- Organization admins
- Billing admins
- Security admins
- Network admins
- Monitoring admins
- Logging admins
These groups support role based access control and enforce least privilege.
Workflow overview
A typical workflow includes:
- Creating recommended admin groups
- Verifying group creation in the Google Cloud Console
- Adding users to the appropriate groups
By default, the initial Super Admin is added to all groups and additional members can be added as needed.
Outcome
The outcome of this step is a structured and secure access model based on managed users and groups. This model reduces operational overhead, improves auditability, and forms the foundation for consistent IAM management across Google Cloud environments.