I think I made a big mistake.
I was asked to investigate Office 365 vs workspace and took out a workspace trial. In hindsight, I probably should have created a new workspace account to try this.
To be clear for a long time we have had access to and used the "Google Workspace Admin console" purely to setup our organisation and adminster users for compute engine projects. I am not sure why we would have had access to this without a paid account. (possibly we used g-suite before. It's not clear to me whether companies are able normally able to access this without a paid account.) I assumed this was akin to the free azure organisation/user setup. Nowadays, I believe we would possibly be advised to use Google Identity in this situation.
Having taken out the trial I understand from workspace support that at the end they will delete my existing organisation and users; they cannot not switch me back to an "identity only" version of workspace we seemed to have before, and are therefore forcing me to sign every user up to workspace even though we don't need it at this point. Is this the case or are they advising me incorrectly?
Assuming they are correct, I cannot sign our company up to google identity, since our domain is owned by the soon to be deleted workspace account.
Therefore my worry is that my business is about to lose access to our compute engine organisation and associated logins, as well as google domains.
The only options I can see are to pay for workspace for our users every month, or create a new organisation in cloud identity, transfer the compute engine projects, wait for the workspace account to be removed, then reclaim our main domain and recreate all the admin users. (I am not sure whether we can move a project out of an organisation once there.)
Is this even possible, and what are the dangers? Are there any other options?
If you have a GCP organization and access to the Admin Console, you must have some subscription. You can see your subscription(s) in the Admin Console under Billing > Subscriptions.
It's possible to add or change subscriptions, but there are some restrictions: For example, if you currently have a G Suite Legacy subscription, you might not be offered the ability to add a Cloud Identity Free subscription. But there are ways to deal with this -- for example, by temporarily upgrading to a paid plan, and then switching to Cloud Identity Free.
Support should be able to help you find a way that doesn't require deleting and re-creating your account/org.
Johannes Passing is correct.
admin.google.com on the home page says "Welcome to the Google Workspace Admin console" - this is confusing since the portal is also about administering organisation and users through cloud identity as well (it could be better named for example "Organisation Admin console")
In addition, there are actually different answers from google:-
This one (which I originally read) says "If your trial period ends and you haven’t set up billing or verified your domain, your account will be automatically deleted" and also "You won’t be able to access Google Workspace after completing the steps."
https://support.google.com/a/answer/6388094
...but this one correctly says "Note that cancelling Google Workspace doesn’t remove user accounts, groups, or your organizational structure"
https://support.google.com/a/answer/1257646
Together this gave the impression that access to admin.google.com may be completely removed, if a subscription is removed. I can clearly see that I also have a subscription to Cloud Identity Free.
Related
I am working on a google workspace add-on for gmail. As part of it, I want to store and index some data, so that it can be later aggregated/enriched for insights.
I don't want to use some external(outside-google-workspace) database as it will have data privacy and security implications. So, I want to keep that data within the safe precincts of the user workspace.
Is there any database service within the google workspace for the above mentioned requirements?
PS: I am already aware of Properties service which can store configurations. The data i want to persist is definitely more than that.
There is no such database.
The closest alternatives, as already mentioned, are PropertiesService, which has obvious limitations, and Google Cloud SQL databases, which live in Google's cloud but is not part of Google Workspace.
My company uses Google Suite and there are a handful of engineers who develop projects within Sheets (often for use by others with less technical backgrounds).
Some of these projects have involved creation of Triggers (e.g. "save the contents of this Sheet every day at midnight").
What I've discovered is that when one of those engineers leaves the company and their account is disabled, triggers written by that user become disabled and remaining users can neither view nor edit their contents. Nor can they see details of triggers created by a different (active) user.
Are there known workarounds to get the contents of this type of trigger? Or is there a better practice to employ that doesn't tie status of a trigger to the status of a user?
Google has a guide for scripts collaboration : Collaborating with Other Developers . Briefly, they suggest to save scripts in a Shared Drive as this will allow several users to do the same than the owner of a script stored in their "My Drive", but this requires the use of Google Workspace account having access to Share Drives.
If the script creators don't have access to a Shared Drive then ask them to transfer the ownership of the scripts to be used by others to a more stable user account. IMHO the best is to have a generic user account not tied to a specific person, i.e. scripts#example.com., one additional advantage is that it might help to differentiate on the version history if the changes made where done "by a real person" or by a trigger.
Another option is that the domain admin could transfer the files ownership from the disabled account to another user account, either to a real person account or to a generic account, i.e. archivist#example.com, then someone having access to that account could do find the corresponding script and do the required adjustments.
Depending on the number of engineers and size of the company you might also want to keep an inventory of all the scripts used by others and implement some sort or pair-review focused on script ownership succession.
I programmed a web app and now i need to deploy it for my organization. There are 500 potential users. What factors i need to consider before the deploy? There's an easy way to deploy it? there are limitations to consider? what risks there are? there are a model or can you give tips or experiences for the deployment?
There are no definable risks or dangers, it all depends on what your application does.
When you choose who are the users authorized to access, you will inevitably have to select anyone within your organization, otherwise only you (or the account with which the script was created) will be able to access. While as for the execution mode, you will have to choose how you or the user who accesses the application. This is important because if the application accesses an external service, such as Google Analytics, it can do so as the user with whom the application was generated or as the user who is accessing the application. Based on that selection you will see the Analytics data of one or the other Account.
So it all depends on what your application does and how it is to be used.
I'm trying to create a Google apps script that adds a new user to a Ubuntu vm that I've created whenever a form is submitted. I'm wondering if there is some way to initiate an ssh connection from a Google apps script that would allow me to login to the vm and create a new user. I have the IP and login credentials for the vm. I've set it up so that the script will run whenever a form is submitted, however I'm not sure where to go from there. I apologize in advance if there is a better way to do this, I could just manually create the accounts based off form submissions, but I really need the automation. If there is a solution to this, even if it doesn't involve ssh, I would really appreciate the help!
This is not trivial.
Google AppsScript does not support SSH by default, so you have to work around that.
The user Perhaps you see this name has given you a great idea. I'll further explain how to do what he suggested below:
What you will need on the linux machine
A web service, callable from the google IPs (you can white list it or leave it open to the public (which is dangerous, and should be done only as last resort)).
A account with user creation permission on linux.
A script to create the new users from the data received on the web service.
For the first part, you can do this with any technology you want. I recommend Node.Js + Express.js, as it is easy to create what you want with child processes.
I'll assume you already have an user account able to create users. You probably want to use that.
The last part is just another linux command. You can just Google it and you'll find lots of examples.
There is one catch, while the real-time user creation option with APIs might look enticing to you, I would strongly advise against leaving a public service for something like creating users, as that could become a security risk.
What you might want to do instead is to have a machine with no value (AKA a cheap machine your planned to throw away, with no important data and no confidential information) hosting your web service and then make a script on your Ubuntu VM to fetch the data from said service in an encrypted secure way.
This is my first question for GCE on StackOverflow.
I've been using GCE for quite some time. I have 4 projects. Suddenly last night I was unable to connect or see VMs in the dashboard. I see a message saying:
You can use Compute Engine after a project owner enables billing.
You do not have permission to enable billing for this project. Contact a project owner to enable billing.
Why is this happening with only 2 projects and not with others? As far as I know payment settings are the same for all 4 projects.
Can you please help me out with this? I'm badly stuck.
Thanks in advance, here is a picture of my problem.
You can have multiple billing accounts, and multiple projects can share a billing account. It sounds like you are not a project owner, so it's possible that a project owner has changed or disabled the billing account for some of the projects you have accessed without your knowledge (or that perhaps there was indeed a problem with the payment method).
When a project cannot be billed, the registered project owners will receive several email notices informing them that there is a problem, and providing information on how to fix it.
In this case it sounds like you are doing the correct action - that is to work with the guy who is the project owner to find out what notices he received, and to make sure a valid billing account is attached to the projects, or followup with billing support if there is an issue that they have notified you about.