The instructions on this page assume you are using the Enterprise version of Google Apps Login and have already followed the setup steps that apply to all versions, followed by the instructions specific to the Premium (and also Enterprise) version which you can read here. This page explains more about the Enterprise plugin’s granular user role controls.
Setup a Service Account
To ensure all users in your domain can call the Google Groups API, the Enterprise version of Google Apps Login plugin requires you to complete an extra setup step.
If you haven’t already created a Service Account when you configured the plugin, then you will not see the Service Account email address and Private key fingerprint towards the bottom of the Main Settings tab in Settings -> Google Apps Login in your WordPress admin.
If these fields are not yet completed, follow the instructions to set up a Service Account here.
Mapping Google Groups and OrgUnits to Roles
A key feature of the Enterprise version of the plugin is having greater control over WordPress roles. Please click on the Domain Control tab.
As for the Premium version, you should enter your company’s G Suite (formerly known as Google Apps) domain name in My Google Apps domain, and check Auto-create new users on my domain if that’s the functionality you desire. When users from your G Suite (Google Apps) domain attempt to login to WordPress using “Login with Google”, their accounts will be auto-created if they don’t already exist in WordPress.
The Enterprise Role Mapping Rules section allows us to specify how roles are assigned to those auto-created new users – and, optionally, we can reinforce those role rules every time a user logs in via Google.
Setting up Rules
You can add multiple rules to map from Google Groups or OrgUnits to WordPress roles. Enter the email address of a Google Group, or an OrgUnitPath, and select the desired corresponding role from the dropdown. Above, you can see we want members of the Google Group email@example.com to become Admins in WordPress; and members of the Group firstname.lastname@example.org to become Editors. If the user is in neither of those Groups, then they may become Contributors if they belong to the /HardwareDivision OrgUnitPath (or below – e.g. /HardwareDivision/Mobile). Finally, if they do not match any of the rules they will be assigned the ‘Default Role’ of Subscriber.
There is also a ‘No Access’ option in the role dropdown so that any matching users are denied any usable role in the site.
Adding and Removing Rules
To add an extra rule click the Add Rule button. This will provide an extra empty row for you to enter a new rule.
To remove a rule box, just click the Delete link at the end of that row.
Rules are applied in the order shown in the Domain Control tab, stopping when any match is reached so that the first matching role will be applied. To change the order of the rules you can click and drag the up/down arrow icon at the left-hand side of the rule row that you want to move.
Overriding individual emails
Sometimes, you will want to create very specific rules that aren’t worth the creation of a Google Group. For example, you may want only yourself to be an Admin, but no other members of any Group (or anyone at all) – and it’s not really worth creating a new Group containing only yourself. In that case, you can simply enter an individual email address (e.g. your own) instead of a Group email address, and select the desired role from the dropdown.
Initially, when activated, the plugin will try to set up some rules based on your admin users. These will all be overrides so that admin users remain admins even after the rules are applied. You can remove these if you like, but they are in there as a safety net. If we didn’t put them in to start with, it would be easy just to run a set of blank rules and make all users, say, subscribers – at which point there would be no admins left to fix things!
How rules are applied
It is important to understand that the rules are applied in the order listed on the settings page, and finally the Default role is applied if no other matches are found. Once a rule matches and is applied, the search will stop.
If there are no rule matches, the Default Role will be applied.
In the example in the screenshot above, if a user is member of both developers and marketing groups, they will become an Admin in WordPress because the developers -> Admin rule is listed first.
For individual email addresses, you would normally want to list those first above any Group entries. Otherwise, if the user is also a member of a Group, an earlier Group-based rule could prevent their individual email address rule from matching first.
Check and reset roles on every login
If this is unchecked, the rules are only applied when a new user is auto-created. If you check the box, the rules will be reapplied (e.g. if membership of Google Groups has changed), every time a user logs in using Google.
Note that rules will not be applied if a user logs in using regular WordPress username/password – but you can check the box towards the top of the Domain Control tab if you want to ensure they can’t login that way.
All role changes (or any problems fetching Google Group or OrgUnitPath information) will be listed in the Logs tab of the Google Apps Login -> Settings page.
Note that multisite installations have a couple of extra options on this page – explained here.
Please do not hesitate to get in touch with us if you have any questions at all about the plugin!