What is the Guidance for the "Manage access to services that aren't controlled individually" Setting?

[Tony-Lutz]

💡 Summary

What is the Guidance for the "Manage access to services that aren't controlled individually" Setting?

Manage access to services that aren't controlled individually
You can manage access to Google services that aren't shown in the Admin console, and therefore, don't have an individual ON/OFF control.

https://support.google.com/a/answer/7646040?hl=en#:~:text=For%20services%20that%20don't,or%20just%20specific%20organizational%20units.

Motivation and context

Reasons to restrict access to services

Some Google services don't have their own On or Off setting in the Admin console, and Google may release new services at any time. You might want to restrict users from accessing services with their managed Google Account for reasons such as:

• Company policy—Your organization might need control over the services your users can use with their organization-managed Google Accounts.
• Industry regulations—Your organization might be subject to industry regulations that require administrative control over users' data.
• School restrictions—Your educational institution might need to restrict use of services for policy reasons or because it doesn't have parental approval to provide them to students.

How restricting access to services affects users

• If you turn off Google services that you don't control individually in the Admin console, users can't use services that might be helpful to them. If users are already using these services for work purposes, restricting access to them might disrupt their work.
• If users try to sign in to a restricted service, they're usually redirected to a page that tells them the service is unavailable and why.

Implementation notes

Turn services on or off

Sign in to your Google Admin console.
Sign in using an administrator account, not your current account anthony.benjamen.lutz@gmail.com

1. In the Admin console, go to Menu and then Appsand thenAdditional Google services.
2. In the message at the top of the page, click Change.
3. Choose how you want to restrict services and follow the steps:

• Turn services on or off for all users in your organization
• In the left panel, make sure Settings for all organizational units is selected.
• Choose to turn services on or off for all users.
• Click Save.

4. Turn services on or off for users in a specific organization unit

• In the left panel, select the organizational unit.
• Choose to turn services on or off for users.
• Click Override to keep this setting the same, even if the parent setting changes.
• If the organizational unit's status is already Overridden, choose an option:
• Inherit—Reverts to the same setting as its parent.
• Save—Saves your new setting (even if the parent setting changes).

It can take up to 48 hours for the new setting to take effect.

Tip: If you turn off services, consider communicating your organization's policy to users.

Please provide details for implementation, such as:

• an example for how this would be used
• what this would look like
• how this would act
• any related work, including links to related issues

Acceptance criteria

Yes let us know the recommended setting.

[buidav]

Thanks for opening an issue on this.
Doesn't look like we have baseline guidance on this control.
Will flag the technical content owner for the Common Controls baseline to add a control/guidance or give reasoning for why a baseline won't be added.

The typical reasons we don't add baselines for certain controls are either the control doesn't have a security impact or the control highly depends on the organization's risk posture.
However, in this case it looks like we should add a baseline policy for this control.

[jkaufman-mitre]

@buidav and @Tony-Lutz I will discuss with our internal team to get their opinion. However, I agree I do think a policy would be good.

[jkaufman-mitre]

A policy will be added to address this setting.

[jkaufman-mitre]

PR created. PR 315.