Google Workspace

From Open Source Ecology
Jump to: navigation, search

As a legally-registered NGO (non-profit in the US), Open Source Ecology has a free Google Workspace account.

Note that Google Workspace is also known as:

  1. Google Apps (or gapps) and
  2. Google Suite (or gsuite)

Why?

Google Workspace lets us create Google accounts with a username on the @opensourceecology.org domain. For example, when OSE users manage email, we can do so from a gmail-like UI. While we have access to numerous apps in Google Workspace, OSE specifically makes heavy use of the following apps:

  1. Google Mail
  2. Google Calendar
  3. Google Docs
  4. Google Drive
  5. Google Meet
  6. Google Groups
  7. Google Slides
  8. etc

Google Groups

OSE uses (internal-only) Google Groups for creating one-to-many email lists (a designated email account that reaches the inbox of many people at OSE).

Because

  1. Google doesn't support the concept of "shared accounts", [1],
  2. Google may lock you out of being able to login to your account if their anomaly detection system thinks an account is being shared, [2]
  3. Google won't let you turn-off their "suspicious login" feature that locks you out of your own account -- even if their system is faulty and blocking you from logging in, even when you entered the correct password[3]
  4. Google doesn't let you forward mail from one account to many accounts

If you want to create a one-to-many email address (eg tractor-team@opensourceecology.org) for which there are many recipients, the way to do this in Google Workspace is to create a "Google Group".

System Alerts

For example, in September 2024, OSE nearly lost all of its backup data (on Backblaze) due to few missed payments (amounting to <$10) because our bank false-positive blocked the transaction as "suspicious". The issue was exacerbated by the fact that our backblaze-specific email address (which received many, many "payment failed" alerts) was not being forwarded to the email inboxes of Marcin (or anyone else).

For security reasons, it's always better to use services that don't use shared logins. If possible, create one user account per person and grant that user account access to the OSE account. Unfortunately, this isn't possible with many services -- and we're forced to use one shared account.

For more flexibility and security, rather than signing-up for an account directly with some shared some-google-group-list@opensourceecology.org account that's tied to a Google Group directly, we create a new user account for that account. Then you can [1] forward all of that account's mail to a Google Group and [2] grant other users to be able to access that account's mail.

To setup email forwarding, login as the some-google-group-list@opensourceecology.org account in gmail. Click on the settings "gear icon" in the top-right of the webpage. Click on the "Forwarding and POP/IMAP" tab. Under the "Forwarding" section, enter the email address of the Google Group. Make sure to check the correct radio button that says "Forward a copy of incoming mail to ..." and also leave the drop-down set to "keep ... copy in the inbox". This will ensure that, even if the Google Group gets moved or deleted in the future, all of the mail for this specific account will be retained in gmail. Finally, click "Save Changes".

To grant Marcin or anyone else access to this new service-specific account's mail, login as the account in Gmail. Click on the settings "gear icon" in the top-right of the webpage. Click on the "Accounts" tab. Under the "Grant access to your account" section, click "Add an account" and enter the email address of the person (eg Marcin) that you want to give access to be able to read and write mail on behalf of this user.

Warning.png Warning: Please note that "reset password" functionality usually works by sending a link to a user's email address, so we should assume that anyone either on the Google Groups list or under the "Grant access to your account" list will be able to login to these services, even if they don't have the account password. So please only ever put trusted users on this list.

Why can't I login?

Unfortunately, Google employs an infamously faulty anomaly detection system[4] that may false-positive due to a "suspicious login" that could lock you out of your own account -- even when you entered the correct password on the first try. Unfortunatly, Google is aware of the issue and refuses to let Google Workspace (or individual user) disable this broken "feature" for their accounts, even if it causes more harm than good [5].

If this happens, try enabling 2FA (with TOTP) in your account. It should prevent Google from locking you out of your own account, even if you enter the correct password on the first try.

Of course, you need to login in order to add 2FA to your account. To bypass the lockout, ask an OSE member with Admin access to Google Workspace to temporarily turn-off "two step authentication" (which is a distinct Google concept from "two factor authentication") as follows:

  1. Log into the admin.google.com panel
  2. Click Directory -> Users
  3. Click on your username
  4. Click on the "Security" tab
  5. Scroll-down to "Login challenge" and clicked the "TURN OFF FOR 10 MINS" button [6]

Now you should be able to login and setup 2FA with TOTP to prevent this from happening again.

References