Service On/Off Now for All Apps

Monday, October 10, 2011 | 12:01 PM

Labels:


You may have already noticed, but the controls to enable and disable individual apps in Google Apps are now all in one place on the domain Control Panel under Organization & users > Services.



Domain administrators were already able to use this tab to enable and disable the Core Google Apps suite. Now they can do the same for apps they've acquired from the Google Apps Marketplace. This replaces the old link labeled "Disable {app name}" in the Dashboard > {app name} > "App status" page.

App and Gadget Visibilty

This on/off switch controls app and gadget visibility. Users in suborganizations where a Marketplace App is ON will see that app in the universal navigation bar under "More", and will see the app’s contextual gadgets in Gmail. Users where the App is OFF will not see these links or gadgets.

Your customers still configure all apps through the Dashboard tab, but now the Control Panel Services tab unifies how they enable and disable every app.

New Scoping by Suborganization

The unified controls also share an important new scoping capability: now a domain administrator can select a suborganization and control which Marketplace Apps are visible to that organizational unit, just like the Core Google Apps suite!

In the example below, the administrator has overridden the domain settings for four Marketplace Apps to make three new tools visible to just the "Engineering" suborganization and to hide one application.


Visibility versus Authentication and Authorization

As developers, you should note that for any valid Google Apps domain user who goes directly to your website, OpenID/Single Sign On will always authenticate them if their domain has OpenID enabled. This includes users who are in suborganizations where your app is OFF. That means this visibility toggle feature is not a substitute for checking that the users accessing your app have a valid license.

Similarly, the on/off switch does not affect the OAuth scopes your app has been granted when the domain admin installed your app -- the admin only revokes those by explicitly revoking data access or by deleting your app. The control panel on/off switch is just a way for a domain administrator to control the visibility of apps and gadgets that would otherwise be site-wide.


Andy Rothfusz

Andy is a Developer Programs Engineer for Google Apps Marketplace. He has over 14 years of experience in developer programs covering a wide range of applications including 3D graphics acceleration, natural language processing, video games and video streaming.

9 comments:

Tom said...

Smoke and mirrors.

Ryan Boyd said...

@Tom-- can you elaborate a bit more on why you think this is smoke and mirrors?

Thanks!

Jan said...

Umm - this is a great UI improvement, but what does it actually *do*?

If the users from disabled orgunits are still coming across as fully authenticated and authorized, this just creates an illusion of administrative control, no?

Maybe you can clarify what the back-end impact is, because as-is, this isn't really clear.

Steven Bazyl said...

Think of this more as controlling the visibility of the app, with the main benefit is being able to disable (hide) the UI extensions of apps for groups of users. This is particularly important for gmail gadgets and was a frequently requested feature by users.

For example, a lot of the CRM apps have gadgets that appear with *every* message in gmail. This is great for people in sales and support, but annoying for everyone else. Now admins can control the visibility of the extensions so only users who need the app will see it.

Steve Ireland (Norada) said...

> New Scoping by Sub-organization

As a Apps vendor with a comprehensive integration via Gmail gadget, SSO, etc. this feature offers MASSIVE value to us and our clients. A major constraint has been lifted allowing us to provide more features, automation and data context to those that really needed it.

Thanks heaps for making this happen.

David Hardwick said...

Are there any requirements to use this new feature? For example, does the application need to be using OAuth v2?

I asked because we have noted that this feature works for our OAuth v2 application but not our AOuth v1 application.

Thanks!

David Hardwick said...

Are there any requirements to use this new feature? For example, does the application need to be using OAuth v2?

I asked because we have noted that this feature works for our OAuth v2 application but not our AOuth v1 application.

Thanks!

Ryan Boyd said...

@David - no, there are not requirements such as the version of OAuth your app uses. Please help us understand what's working and what's not by posting over here: http://code.google.com/googleapps/support/marketplace/

Ram said...

Is it possible to block access (ie revoke auth) by an app for some of our org's users but enable it for others? We have a few sales folks that want to use Insightly but I don't want everyone's account to be accessible.