The instructions on this page assume you are using the Enterprise version of Google Apps Login and have already followed the setup steps that apply to all versions, followed by the instructions specific to the Premium (and also Enterprise) version which you can read here. This page explains more about the Enterprise plugin’s granular user role controls.
Setup a Service Account
To ensure all users in your domain can call the Google Groups API, the Enterprise version of Google Apps Login plugin requires you to complete an extra setup step.
If you haven’t already created a Service Account when you configured the plugin, then you will not see the Service Account email address and Private key fingerprint towards the bottom of the Main Settings tab in Settings -> Google Apps Login in your WordPress admin.
If these fields are not yet completed, follow the instructions to set up a Service Account here.
Mapping Google Groups to Roles
A key feature of the Enterprise version of the plugin is having greater control over WordPress roles. Please click on the Domain Control tab.
As for the Premium version, you should enter your company’s G Suite (formerly known as Google Apps) domain name in My Google Apps domain, and check Auto-create new users on my domain if that’s the functionality you desire. When users from your G Suite (Google Apps) domain attempt to login to WordPress using “Login with Google”, their accounts will be auto-created if they don’t already exist in WordPress.
The Enterprise Group Roles section allows us to specify how roles are assigned to those auto-created new users – and, optionally, we can reinforce those role rules every time a user logs in via Google.
You can add multiple rules to map from Google Groups to WordPress roles. Enter the email address of a Google Group, and select the corresponding role from the dropdown. Above, you can see we want members of the Google Group firstname.lastname@example.org to become Admins in WordPress; and members of the Group email@example.com to become Editors.
There is also a ‘No Access’ option in the role dropdown so that any matching users are denied any usable role in the site.
There should always be one spare ‘box’ to enter a new rule, but to add more you can simply click Save Changes. An extra empty box will be provided beneath the list of your existing rules.
To remove a rule box, just remove the text of the email address to leave an empty text field (don’t worry about the role dropdown) and click Save Changes. The rule should have been removed completely.
Overriding individual emails
Sometimes, you will want to create very specific rules that aren’t worth the creation of a Google Group. For example, you may want only yourself to be an Admin, but no other members of any Group (or anyone at all) – and it’s not really worth creating a new Group containing only yourself. In that case, you can simply enter an individual email address (e.g. your own) instead of a Group email address, and select the desired role from the dropdown.
Initially, when activated, the plugin will try to set up some rules based on your admin users. These will all be overrides so that admin users remain admins even after the rules are applied. You can remove these if you like, but they are in there as a safety net. If we didn’t put them in to start with, it would be easy just to run a set of blank rules and make all users, say, subscribers – at which point there would be no admins left to fix things!
How rules are applied
It is important to understand that the rules are applied in the order listed on the settings page, and finally the Default role is applied if no other matches are found. Once a rule matches and is applied, the search will stop.
If there are no rule matches, the Default Role will be applied.
In the example in the screenshot above, if a user is member of both developers and marketing groups, they will become an Admin in WordPress because the developers -> Admin rule is listed first.
For individual email addresses, you would normally want to list those first above any Group entries. Otherwise, if the user is also a member of a Group, an earlier Group-based rule could prevent their individual email address rule from matching first.
Check and reset roles on every login
If this is unchecked, the rules are only applied when a new user is auto-created. If you check the box, the rules will be reapplied (e.g. if membership of Google Groups has changed), every time a user logs in using Google.
Note that rules will not be applied if a user logs in using regular WordPress username/password – but you can check the box towards the top of the Domain Control tab if you want to ensure they can’t login that way.
All role changes (or any problems fetching Google Group information) will be listed in the Logs tab of the Google Apps Login -> Settings page.
Note that multisite installations have a couple of extra options on this page – explained here.
Please do not hesitate to get in touch with us if you have any questions at all about the plugin!