Control access to apps based on user & device context
Assign access levels to Google-owned apps
Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
As an administrator, you can assign access levels to all Google-owned apps in your organization. Access levels work with your organization’s Context-Aware Access rules, which help you control access to apps based on user identity, device security status, IP address, and geographical location. When you assign access levels, you're creating a primary controlfor the Context-Aware Access rules across your organization. However, if a Google-owned app has its own rules assigned, those app-specific rules take precedence (with the exception of the Android Gemini app, which applies both primary and app-specific access levels).
When you assign access levels...
Access levels determine whether users are granted or denied access to Google-owned apps. When a user is assigned multiple access levels, they are granted access if they meet the conditions of any of the selected levels (a logical OR). If you want users to meet the conditions in more than one access level (a logical AND of access levels), you must create a single access level that contains multiple access levels. To control access to more than 10 access levels for Google-owned apps, you can use nested access levels.
Access level exceptions
If you turn this setting on, it won't apply to:
- The Google Admin console to prevent administrators from accidentally locking themselves out. To control access to the Admin console, follow the steps in Apply Context-Aware Access levels to the Admin console.
- User account self-service pages, such as myaccount.google.com, to ensure that users aren't locked out of managing their own account information.
Assign access levels to all Google-owned apps
Before you begin: If needed, learn how to apply the setting to a department or group.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu and thenSecurity > Access and data control > Context-Aware Access.
Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges.
- Click General Settings.
-
(Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
- In the Access levels for Google-owned apps section, click Edit .
- Next to each access level, choose an option:
- To allow access to the app and log the attempts that don't meet the selected access level, check the Monitor box.
Use this setting to test rules and understand the impact. - To block access to apps for users who don't meet the specified access level, check the Active box.
Use caution—this setting can disrupt user access. Certain apps, such as Google Search and YouTube, still allow usage when users are signed out of their managed Google Accounts.
- To allow access to the app and log the attempts that don't meet the selected access level, check the Monitor box.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).