After you create access levels, you’re ready to assign them to apps. You can control access by user identity, device security status, IP address, and geographical location. You can also control access for apps attempting to access Google Workspace apps and apps attempting to access Google Workspace data through Application Programming Interfaces (APIs).
When you assign access levels…
- Selecting an access level sets it to Monitormode by default. This ensures you won’t inadvertently block users when you turn on an access level.
- Users are granted access to the app when they meet the conditions specified in one of the access levels you select (a logical OR of the access levels in the list). If you want users to meet the conditions in more than one access level (a logical AND of access levels), create an access level that contains multiple access levels. If you want to assign more than 10 access levels for an app, you can use nested access levels.
- For mobile apps, if you use integrated Gmail, you can grant or deny access to Gmail, Google Chat, and Google Meet all at once. If Chat and Meet are implemented as separate apps (not as part of integrated Gmail), you need to grant or deny access to those apps separately.
Assign access levels to an app
Before you begin:If needed, learn how to apply the setting to a department or group .
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
- For Assign access levels, click Assign access levels to apps.
- (Optional) To apply the setting only to some users, at the side, select an organizational unit(often used for departments) or configuration group(advanced). Show me how
Group settings override organizational units. Learn more
- Choose an option:
- Point to an app and click Actions Assign.
- Check the boxes next to multiple apps and then, above the list of apps, click Assign.
- For Access levels, click Edit.
- For Access level(s), choose an option for each access level:
- To test how selecting the access level will affect users without actually blocking access, check the Monitorbox.
- To start applying the access level, check the Activebox.
- Click Save.
- For Actions, click Edit.
- Select Warnor Blockto specify what action will occur when an active access level policy isn't met for a supported app.
For details about supported apps, go to App support for Context-Aware Access on this page. - Click Save.
- (Optional) To update the scope that you selected for your access levels:
- For Scope, click Edit.
- Make any changes and click Save.
- (Optional) To update the apps that you selected for your access levels:
- For Apps, click Edit.
- Make any changes and click Save.
- For Policy settings, click Edit.
- (Recommended) Check the Block users from accessing Google desktop and mobile apps if access levels aren't metbox to apply the access levels to users of native desktop, Android, and iOS apps and web apps. For details about the behaviors that you can expect after configuring your preferred access level settings, go to App behavior based on access level settings on this page.
- (Optional) To block apps from attempting to access Workspace data through exposed public APIs, check the Block other apps from accessing the selected apps via APIs, if access levels aren't metbox.
- (Optional) To exempt trusted apps from being blocked through exposed APIs, check the Exempt any apps selected below so that they can always access APIs for specific Google services, regardless of access levelsbox.
This option is available for configuration by organizational unit, not configuration group, even though you can select a group in the Admin console. For details, go to Use cases: Exempt trusted third-party apps from being blocked .- If a list of apps or the app you want to exempt isn’t shown, click Go to app access controland complete the steps to trust the app. Any third-party, internal, and Google-owned apps that you mark Trustedon the App Access Control page are listed in the trusted apps table. Apps are preselected if you marked them trusted and exempt from API enforcement.
Note: You can't exempt Google apps (such as Google Drive, Google Calendar, or Google Apps Script) from API blocking. These apps appear grayed out in the list. - If needed, select the apps that you want exempted from API enforcement and click Continue.
- If a list of apps or the app you want to exempt isn’t shown, click Go to app access controland complete the steps to trust the app. Any third-party, internal, and Google-owned apps that you mark Trustedon the App Access Control page are listed in the trusted apps table. Apps are preselected if you marked them trusted and exempt from API enforcement.
- (Optional) To exempt trusted apps from being blocked through exposed APIs, check the Exempt any apps selected below so that they can always access APIs for specific Google services, regardless of access levelsbox.
- Click Save.
- For What will this policy do?, review the effects that your new access levels will have on your organization and its apps. To update selections, next to Access levels, Actions, Scope, Apps, or Policy settings, click Edit.
- Click Assign.
You’re returned to the apps list page. The Access levels column shows the number of access levels applied to each app in both monitor mode and active mode.
App support for Context-Aware Access
| Google app | Block mode support | Warn mode support |
|---|---|---|
|
Gmail
|
✔ | ✔ |
|
Drive
|
✔ | ✔ |
|
Google Docs (includes Google Sheets and Google Slides)
|
✔ | ✔ |
|
Calendar
|
✔ | ✔ |
|
Meet
|
✔ | Web and Android only |
|
Chat
|
✔ | ✔ |
|
Google Keep
|
✔ | ✔ |
|
Google Tasks
|
✔ | ✔ |
|
Gemini
|
✔ | Web only |
|
Admin console
|
✔ | Web only |
|
Google Vault
|
✔ | |
|
Google Sites
|
✔ | Web only |
|
Google Cloud Search
|
✔ | |
|
Google for Business
|
✔ | |
|
Google Cloud
|
✔ | |
|
Google Looker Studio
|
✔ | |
|
Google Play Console
|
✔ | |
|
NotebookLM
|
✔ | Web only |
App behavior based on access level settings
The following table summarizes the behavior based on whether you check the Block users from accessing Google desktop and mobile apps if access levels aren’t met box and whether you deploy Endpoint verification.
Key terms for this table:
- Access level applied—Access is granted based on the access levels you set up in the Context-Aware Access configuration.
- Access allowed—Context-Aware Access is not applied, and all access is allowed.
- Access blocked—Access is blocked because Context-Aware Access isn't configured, or you don't have endpoint verification turned on.
Access level
CAA enabled
Allow/block (native and web)
Mobile
Desktop
Mobile native
Mobile web
Desktop web
Desktop native
Endpoint verification deployed?
Access level with only IP/Geo attributes
Block users from accessing Google desktop and mobile apps if access levels aren’t metbox is checked*
Access level applied
Access level applied
Not required
Block users from accessing Google desktop and mobile apps if access levels aren’t met box is not checked
Access allowed
Access level applied
Access level applied
Access allowed
Not required
Access level with device attributes
Access level applied
Access level applied
Yes
Block users from accessing Google desktop and mobile apps if access levels aren’t met box is checked
Access level applied
Access blocked
No
Access allowed
Access level applied
Access level applied
Access allowed
Yes
* Recommended setting
Note: The Gemini mobile app has a different user experience when a user is blocked. Instead of a standard pop-up window, the app provides a reply message that explains access was denied. This happens when a query attempts to access data in a way that violates an access level. It does not occur for simple queries like greetings.
Review or modify assigned access levels
This setting is used to apply changes locally and does not display inherited assignments.
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- For Assign access levels, click Assign access levels to apps.
- (Optional) To apply the setting only to some users, at the side, select an organizational unit(often used for departments) or configuration group(advanced). Show me how
Group settings override organizational units. Learn more
<
- Choose an option:
- Point to an app and click Actions Assign.
- Check the boxes next to multiple apps and then, above the list of apps, click Assign.
- For Access levels, click Edit.
- For Access level(s), choose an option for each access level:
- To test how selecting the access level will affect users without actually blocking access, check the Monitorbox.
- To start applying the access level, check the Activebox.
- Click Save.
- For Actions, click Edit.
- Review your selected access levels to verify whether they’re set to trigger the action you want when access level conditions are not met.
- Block—Blocks access to the app
- Warn—Allows access to the app with a warning
- Click Save.
- (Optional) To review or update the scope that you selected for your access levels:
- For Scope, click Edit.
- Make any changes and click Save.
- (Optional) To review or update the apps that you selected for your access levels:
- For Apps, click Edit.
- Make any changes and click Save.
- For Policy settings, click Edit.
- Review your selected policy to verify whether it’s set to block the right apps. The policy can include blocking access to the desktop and mobile versions of your selected apps, blocking other apps from accessing your selected apps using APIs, and exempting allowlisted apps.
- Click Save.
- For What will this policy do?, review the effects that your new Context-Aware Access levels will have on your organization and its apps. To update selections, next to Access levels, Actions, Scope, Apps, or Policy settings, click Edit.
- Click Assign.
View logged events for an access level
Use the View report option to track whether your assigned access levels are functioning correctly to control user access to apps. Access levels set to either monitor or active mode generate events that are logged in the Context-Aware Access log.
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- For Assign access levels, click Assign access levels to apps.
- (Optional) To apply the setting only to some users, at the side, select an organizational unit(often used for departments) or configuration group(advanced). Show me how
Group settings override organizational units. Learn more
- Point to an app and click Actions View report.
- On the side, click the link to the security investigation tool to automatically run a search for Context-Aware Access log events for the selected app.
The search results include the following information:
- Access denied (Monitor mode)events show users who would have been blocked if this access level were enforced.
- The Actorcolumn shows the blocked user.
- Access levels that are applied, satisfied (access conditions met), and unsatisfied (access conditions not met)
For more information, see Context-Aware Access log events .
