Google Workspace security concern

HeinMin · 12-15-2021 11:06 PM

we have some concern with Google workspace permission. We created a group, one of the member is using google account with other domain (domain A). Group member list shown xxxx@domainA. He is receiving the receiving the email thru Domain A mail box. Ona day he changed his google account email with another domain (domain B), And He still receiving email on Domain B. In the Group member list we saw that his email address was changed to xxxx@domainB . Group owner or Group manager did not get any notification about it. I think that the know issue for google https://support.google.com/a/answer/7664944.

So we tested ,

previously shared file can be access no matter how many time you change primary email address
Google calendar still can get the update invitation
Only Google Meet lost the access and "Ask to join" button appeared.

Any idea how to mitigate it ? I think that should not happened in Enterprise level services. No matter how many DLP rules apply that risks are still existed.

StephenHind

@HeinMin this only happens if the original account using DomainA is renamed to DomainB: this does not give anyone else access to the group, the same person has the same access as the same account is used; the account has just been renamed. The help article you linked to doesn't explain that very well, but that's the intended behaviour by Google.

HeinMin

Hi @StephenHind thanks for your explanation. I think google should reconsider above behavior. High risk of the information leakage is there. Person who change the Domain A to Domain B still receiving the information from Group in his/her DomainB mail box and Group owner or Group manager won't notice unless regular check on Group member list.

StephenHind

@HeinMin if you want a change in the way the product behaves then you should suggest it as a Feature Idea