RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

FAQ for Google Workspace when federated to RM Unify
Published Date : 24 Jul 2017   Last Updated : 10 Apr 2024   Content Ref: TEC5782172  





Symptoms

RM Cloud Service Delivery can assist you with your Google Workspace federation. For further information, please speak to your Sales representative on 01235 645 316 or email getintouch@rm.com quoting this artic



Requirements

This article provides a summary of the OU and group structure provisioned into Google Workspace by RM Unify and answers some of the commonly asked questions regarding the federation and user provisioning process.


Procedure

On federating an RM Unify establishment with Google Workspace, RM Unify creates an OU structure into which RM Unify user accounts will be provisioned and a set of default groups that RM Unify users are assigned membership of.

RM Unify provisioned Google Workspace OU structure:

Image showing the OU structure
  Image showing the OU structure

For examples of single-site and multi-academy trust structures, please refer to the 'g_suite_ou_structure_examples.docx' file from the Download section below.


RM Unify provisioned Google Workspace groups:

Group name Email address of group Assigned membership
RM Unify establishment name - Support Staff <identifier>_supportstaff@<domain> RM Unify users with Non Teaching Staff role.
RM Unify establishment name - Teaching Staff <identifier>_teachingstaff@<domain> RM Unify users with Teaching Staff role.
RM Unify establishment name - Governors <identifier>_governors@<domain> RM Unify users with Governor role.
RM Unify establishment name - Others <identifier>_others@<domain> RM Unify users with Other role.
RM Unify establishment name - Students <identifier>_student@<domain> RM Unify users with Students role.
RM Unify establishment name - Year X <identifier>_yearofentryX@<domain>* RM Unify users with Students role and year of entry X, where X is the year the student entered Year 1 education.*
RM Unify establishment name - Year Y <identifier>_yearofentryY@<domain>* RM Unify users with Students role and year of entry Y, where Y is the year the student entered Year 1 education.*
RM Unify establishment name - Parents <identifier>_parents@<domain> No membership as RM Unify users with Associate (parent) role are not provisioned to Google.
RM Unify establishment name - All Users <identifier>@<domain> RM Unify establishment name - All Staff group.
RM Unify establishment name - Students group.
RM Unify establishment name - Governors group.
RM Unify establishment name - Others group.
RM Unify establishment name - Parents group.
RM Unify establishment name - All Staff <identifier>_allstaff@<domain>

RM Unify establishment name - Support Staff group.
RM Unify establishment name - Teaching Staff group.

* As an example, a student who started Year 7 in September 2017 will be placed in the OU Year 2011, as 2011 is the year the student entered national curriculum in Year 1.

Please see TEC9023402 in the Other Useful Articles section below for information on the access permissions applied to these groups at time of creation.


What happens if I have multiple domains in my Google Workspace tenancy, but only want to federate one domain to RM Unify?
Federating sign on to a third party is a Google organisational (tenancy) wide setting. As such, any users* belonging to any domain in the Google Workspace tenancy, not linked to an RM Unify account, will not be able to sign in. The alternative options would be to:

  1. Federate all domains in your Google Workspace tenancy to separate RM Unify establishments.
  2. Separate your domains into two Google Workspace tenancies, one for federated and one for unfederated domains.

* The exception to this are Google Workspace Super Admin users.

Will the RM Unify provisioned OUs inherit any settings?
The OUs provisioned by RM Unify are configured to inherit settings from the root OU, so any settings already set against the root OU will apply to all users provisioned into the OUs created by RM Unify.

What happens to my new users?
Newly provisioned RM Unify users will be automatically placed in the appropriate RM Unify provisioned OU, based on role or year group.

What happens to my existing Google Workspace users?
During the federation process, you will be prompted to match your RM Unify users to any existing Google Workspace accounts. The matching is done based on email address. If the matched Google Workspace user resides in the root OU, then RM Unify will automatically move the user to the appropriate RM Unify provisioned OU. If the matched Google Workspace user does not reside in the root OU, then RM Unify will not move the user. This is a deliberate precaution to prevent RM Unify from changing previously set customer-defined settings applied to existing users. Although the Google Workspace user will not move OU, it will still be matched to the user's RM Unify account so that future RM Unify account updates such as name changes will still be applied.

I want to move users from manually created OUs to the RM Unify provisioned ones. How do I do that?
In the Google Admin Console:

  1. Apply any desired settings (e.g. to ensure availability of the correct apps, e-safety restrictions for appropriate user groups, usability preferences etc.) to the RM Unify provisioned OUs.
  2. Move users from the manually created OUs to the root OU.
  3. Delete any manually created OUs no longer used to prevent future confusion.
  4. Sign on to RM Unify using an admin account and select a Google Workspace tile in the App Library.
  5. Click 'Are users missing from Google Workspace click here' and select the Resync Users option in the Support Info section.
  6. Depending on the number of users in your RM Unify establishment, it may take up to 30 minutes or more to resync all users.

What happens if I create additional OUs in future (e.g. Vulnerable Students) and move users to them using the Google Workspace Admin Console?
RM Unify will not move them back to their RM Unify provisioned OU automatically (this is a deliberate precaution). Provided their email address remains the same, the Google Workspace user will remain linked to the user's RM Unify account and future account updates will continue to apply.

You can move them back into the appropriate RM Unify provisioned OU at any time by moving them to the root OU and initiating a resync from a Google Workspace tile in the RM Unify App Library.

Can I rename the RM Unify provisioned OUs, e.g., change Students to Pupils?
No, OUs are identified by their name and parent path which means renaming an OU changes its lookup identifier, as well as the lookup identifier for any descendant OUs. This prevents RM Unify from identifying the OU during subsequent user provisioning tasks with the following symptoms:

  • When the next new user is created, or a resync initiated, RM Unify will recreate the expected OU(s). New users will be placed in the recreated OU. Existing users will remain in the renamed OU.
  • RM Unify establishment type, role and year group membership updates will not be applied to Google Workspace users in the renamed OUs.
  • Non-OU related updates (e.g. display name, role, password changes) will be applied as normal.

I don't like the naming convention used for the RM Unify provisioned student year OUs, can I rename them, e.g. rename Year 2010 to be Year 2017 or Year 7?
No, as mentioned above RM Unify relies on a specific name and path to OUs. RM Unify will recreate any missing year group OUs it expects to find and will only place new users in RM Unify provisioned OUs. You could create your own year group OUs with the desired name and manually move students into them but this would require ongoing maintenance. Please see the earlier question 'What happens if I create additional OUs in future' above.

Can I change the name and/or email address of an RM Unify provisioned group?
Yes, you can change the name and/or primary email address of the group using the Google Workspace Admin Console. The original email address will be retained as an alias and you can add additional aliases if desired. To send an email to the group in Gmail, users can type the email address or any part of the group's display name to find the group.

What happens to my existing Google Workspace groups and classrooms?
They will remain untouched. RM Unify does not make any changes to groups and classrooms it did not provision.

Can I still use Google Cloud Directory Sync (GCDS - previously known as Google Active Directory Sync, or GADS), to provision additional users, groups and contacts while federated to RM Unify?
You can continue to use it to provision groups and contacts but not users or passwords as these will come from RM Unify. We do not, however, provide support for configuring or managing GCDS unless you have purchased a custom contract that includes this. 

Which attributes are passed to the Google Workspace account?
The following RM Unify attributes are passed to a user's Google Workspace account:

RM Unify attribute Destination Google Workspace attribute
First name

First name.

For Teaching and Non Teaching Staff, only the first initial of the first name is displayed by default.

Note: It is possible to customise your configuration to allow the full first name of staff, if requested, e.g John. Please raise a support call with your usual support provider. 

Last name Last name.
RM Unify email address Primary email address.
Display name

Google Workspace automatically concatenates the user's display name by using the first name and last name values.

For Teaching and Non Teaching Staff, this will display the first initial of the first name, e.g. J Smith.

Note: Please see the 'First name' RM Unify attribute above if you would prefer to have staff display names which use the full first name, e.g. John Smith. This is the only alternative display name format. The Google API does not yet allow salutations such as 'Mr.', 'Mrs.', etc.

Year of Entry (students only) Cost Center* and user assigned membership of the year of entry group.
Role type 'Type of Employee'* and user assigned to role-group OU, along with membership of role group.
Establishment name and DfE code Department*.
Registration group (if MIS group sync to Google Classroom configured)

User assigned membership of registration group class in Google Classroom.

See TEC5513962 in the Other Useful Articles section below for more information.

Teaching group (if MIS group sync to Google Classroom configured)

User-assigned membership of a teaching group class in Google Classroom.

See TEC5513962 in the Other Useful Articles section below for more information.

*for establishments newly federating after release of RM Unify v4.20 on 14 December 2021. If your establishment was federated before this date, then we are not populating these attributes by default but can do so on request. Please raise a support call with the RM Unify support team.

What happens in Google Workspace when I delete an RM Unify user?
The linked Google Workspace account will be suspended initially and then permanently deleted once the RM Unify user has remained deleted for nine months. More information about the RM Unify account deletion process can be viewed here. If you prefer, you can choose to manually delete the Google Workspace account before the nine months period is reached.

What happens when I disable an RM Unify user?
When the RM Unify account is disabled, via whatever provisioning method is in use, the linked Google Workspace account will be suspended.

Can I change a user's email address in Google Workspace?
You can rename a user in RM Unify (or on the network if AD Sync is in use) and this may allow the associated email address to also update in line with the new name (unless the desired email address is already in use, or is set as an 'override'). Alternatively, for CSV or MIS Sync provisioned RM Unify accounts, you can update the email address directly in the Management Console and it will flow through to Google Workspace. After the email address is renamed, the user's previous email address will be added as an alias in Google Workspace, ensuring that the user continues to receive emails sent to their old address.

Can I still create users directly via the Google Workspace Admin Console?
Only Admin users (Google Workspace users assigned Super Admin role) can be created directly in the Console. All other non-admin users should be provisioned via RM Unify.

Do passwords synchronise between RM Unify and Google Workspace?
Yes, there is one-way password synchronisation from RM Unify to Google Workspace.

Can I continue to access Google Workspace via Chromebooks or other devices after federation with RM Unify?
Yes, as long as the user's RM Unify password meets the minimum password criteria you have configured in Google Workspace.

Can I single sign-on to RM Unify and Google Workspace using a Chromebook?
Yes. Users can single sign-on to RM Unify when signed into their Chromebook with their RM Unify managed Google Workspace account.

To single sign-on to RM Unify, users must visit the URL given below. We recommend applying the following settings in the Google Admin Console to make your Chromebook users go to this URL automatically:

  1. Navigate to Devices, Chrome, Settings, 'Users & browsers'.
  2. On the right-hand side, under 'USER & BROWSER SETTINGS', browse down to the Startup section.
  3. From the Homepage setting drop-down menu, select the 'Homepage is always the URL set below' option.
  4. In the Homepage URL field, enter https://<scope>.rmunify.com/sso/google.
  5. Also, include the same URL as the first item in the 'Pages to load on startup' field.

How does RM Unify work with Google Classroom?
As an establishment with RM Unify MIS Sync enabled, it is possible to sync your teaching groups, year groups and registration groups from your MIS with Google Classroom to create Classes based on those groups. More information can be found in TEC5513962 in the Other Useful Articles section below.

My school will be changing DfE code in the near future, what will happen to the OUs, role groups and classes that have been provisioned from RM Unify?
Once you raise a support call with us to change the DfE code, we will make this change in RM Unify. Your existing Google Workspace OU path structure will be renamed to take into account the new DfE code. Your existing Google Workspace role groups will remain unchanged as these do not use the DfE code.

If you have set up automatic MIS group sync to Google Classroom, your existing Google class names will remain unchanged. Class owners can choose to manually rename these classes in Google Workspace if desired. If you would like new class names to use the new DfE code then update the name identifier setting in 'Set up group sync to apps'. Refer to TEC5513962 in the Other Useful Articles section below.

Can I use Google Workspace and Microsoft 365 at the same time?
Yes, for more information, please refer to the following articles in the Other Useful Articles section below:

  • TEC4945314: Supported configurations when federating your RM Unify establishment to Google Workspace and Microsoft 365.
  • TEC4904117: Unable to match existing Google Workspace accounts to RM Unify when Microsoft 365 is already installed.


Download

FilenameFile SizeDownload
g_suite_ou_structure_examples.docx12 kb Download


Other Useful Articles

Supported configurations when federating your RM Unify establishment(s) to Microsoft 365 and/or Google Workspace (TEC4945314)
Unable to match existing Google Workspace accounts to RM Unify when Microsoft 365 is already installed (TEC4904117)
How to federate Google Workspace to RM Unify (TEC3306517)
RM Unify Google Classroom MIS group sync (TEC5513962)
How to contact Google Workspace Support (TEC6194337)
Default permissions in Google Groups created by RM Unify (TEC9023402)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: frequently asked questions, faq, organization units, OUs, organization units, class, classes, google apps, tenancy, displayname, display name, TEC5782172


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page