Google adds multi-domain support to Apps -- updated again (and still disappointed)
Earlier today I reported on Google's addition of multi-domain support to its Premiere and Education Apps. It turns out I was a bit hasty in concluding just what sorts of functionality this update added. Although it brings important improvements to document, contact, and calendar sharing among different domains an organization might have, it does little to address the problem of user privilege and service management that makes many organizations create multiple domains in the first place.
A few corrections and clarifications are below, denoted with italics and strikethroughs.
Updated at 1:56am, 24 June: A last-minute clarification from a Google spokesperson and a correction to the Google Help Center means there are more corrections and even more significant limitations to the update that had me so excited Wednesday. Oh well. New corrections are in bold italics below.
Google announced one of the most anticipated features promised for Google Apps: multi-domain support. This addresses a fundamental problem with Apps so far, both in the enterprise and in educational settings. Until now, if you wanted to implement different privileges for different groups of users, you needed to create and maintain completely separate domains for each group. Now, While you still need multiple domains to act as organization units, you can manage them centrally and they can share contacts and groups.
It seems straightforward, doesn't it? The idea that some people in your organization should have access to one set of features while another group should have access to a different set of features is pretty basic systems management. However, if you want to turn off Chat for one group, limit another to Docs only, and limit another to email only, all the while making sure that they can share documents and access common address books, well, you had better look at SharePoint and Exchange.
Until now. Unfortunately, half of the above statement remains true: administration of differentiated services and privileges by domain still must be done for each domain an organization owns and can't be done centrally. Bummer. In fact, for organizations looking to leverage this central control panel, individual domains CANNOT have varying services. They must remain separate. This is now reflected on the Google Help Site (see below). According to the Google Enterprise blog,
Multi-domain support is a new admin control that allows organizations with two or more domains on Google Apps to manage them from a single control panel. Users belonging to different domains within an organization keep their domain-specific email address but can see coworkers from other domains in the organization’s global address book. It’s also easy for users to share across domains in Google Docs, Sites and the rest of Google Apps.
Of course, if I ran the world, then Google Apps would allow for differentiated privileges among groups of users in a single domain. Maybe next week, right? The folks at Google made a handy Venn diagram to show how this works:
I'll write more about this as I explore it with my own domains, but for now, there are great help articles on making it work available here. I figured this was worth sharing sooner than later, since it truly was a key element to enterprise manageability that Apps had been lacking.
The problem, though, is that while this addresses inter-domain collaboration, it is fairly limited. In fact, Google posted a document called, not surprisingly, "Limitations for multiple domains." A few key limitations include:
You cannot set different policies or configuration settings for different domains. You can control which services are available to different groups of users (by turning services on or off for different organizational units), but all other settings in the Google Apps Control Panel apply equally to all domains that are part of your account.As of about 2:00 this morning, this statement now reads, "You cannot set different policies or configuration settings for different domains. All settings in the Google Apps administrator control panel apply equally to all domains that are part of your account." Well there goes that workaround.- Google Apps account merge is not supported. Some current Google Apps customers with multiple domains currently have separate Google Apps accounts for each domain. Google does not currently support merging multiple Google Apps accounts into a single multiple domain account.
- You cannot add additional domains to your account if you activate Postini Services through the Google Apps Control Panel. To use Postini Message Security for an account with multiple domains, you need to manage the Postini product separately.
- Sharing a document with a group does not work correctly when the group includes users from other domains. When you share a document with a group, Google Docs generates a link for accessing the document that is based on the group's domain. If the group includes users from other domains, the link will not work correctly for them.
Well, hey, it's still cheaper than SharePoint, Exchange, and Server 2008, right? I'll keep you posted on the evolution of management features in Apps. For now, though, when asked if there were any updates on intra-group differentiated privileges and services, Google spokesperson Kat Eller told me that there was "nothing to announce at this time." I kind of figured, but I had to ask.