Create membership expiration in Google Groups for Google Workspace

Google is making a lot of changes in Google Groups management in the last months/weeks and finally bringing expiration membership to Groups.

This capability is not available in all Google Workspace editions, it is part of the Enterprise sku but it is also available in the Cloud Identity Premium sku (CIP). The CIP license is really interesting because you can add it to any Workspace licence and it will add device and user management advanced capabilities.

How works membership expiration for Google Groups ?

It is really simple. It will remove the user after the expiration time is over :-)

This is really interesting in order to add automation in your Google Groups management. Some use cases :

• You want to manage public sharing of drive files by groups and for a period of time.
• You want to remove an intern from a group after some months.
• Provide a temporary access to a GCP project for troubleshooting

How to set Expiration ?

You will need some helper functions from the GitHub repo.

For now you can’t do that from the Admin Console of Workspace, you will need to set expiration by API, so Apps Script in the rescue. Cloud Identity API Documentation and here the Apps Script code :

function setUserMembershipWithExpiration() {
  
  // Remember first the group need to exist before to be updated
  const email_group = 'GROUP_EMAIL';
  const email_user = 'USER_EMAIL';
  const day_expiration = 2;
  const now = new Date();
  const expiration = new Date(now.getTime() + (day_expiration * 24 * 60 * 60 * 1000));
var group = getGoogleGroups(email_group);
  var url = 'https://cloudidentity.googleapis.com/v1beta1/'+group.name+'/memberships' ;
  
  console.log(url)
  
    const membership = {
      "preferredMemberKey": {
        "id": email_user
      },
      "roles": [
        {
          "expiryDetail": {
            "expireTime": Utilities.formatDate(expiration, "GMT", "yyyy-MM-dd'T'HH:mm:ss'Z'")
          },
          "name": "MEMBER"
        }
      ]
    }
  
  var param = {
    method      : "POST",
    contentType : "application/json",
    headers     : {"Authorization": "Bearer " + ScriptApp.getOAuthToken() },
    payload     : JSON.stringify(membership),
//    muteHttpExceptions:true,
  };
  
  var group = JSON.parse(UrlFetchApp.fetch(url,param).getContentText());
  Logger.log(JSON.stringify(group))
  
}

Customize your “const expiration” value to set the appropriate time, in this code we work with day expiration.

Check user expiration

As said previously this information is not visible in the admin console, so you will need to check it by code :

function viewUserExpiration(){
  const email_group = 'GROUP_EMAIL';
  const email_user = 'USER_EMAIL';
  const url = 'https://cloudidentity.googleapis.com/v1beta1/'+getGroupName(email_group)+'/memberships';
   const param = {
    method      : "get",
    headers     : {"Authorization": "Bearer " + ScriptApp.getOAuthToken()},
//    muteHttpExceptions:true,
  };
  var pageToken ;
do{
    var page = JSON.parse(UrlFetchApp.fetch(url,param).getContentText());
    if(page.memberships && page.memberships.length > 0){
      for(var i = 0; i< page.memberships.length;i++){
        var user = page.memberships[i]
        console.log(user)
        if(user.preferredMemberKey.id == email_user){
          var membership = user.name;
          break;
        }
      }
    }
    pageToken = page.nextPageToken
  }while(pageToken)
const url2 = 'https://cloudidentity.googleapis.com/v1beta1/'+membership;
  const param2 = {
    method      : "GET",
    contentType : "application/json",
    headers     : {"Authorization": "Bearer " + ScriptApp.getOAuthToken()},
    muteHttpExceptions:true,
  };
const rep = UrlFetchApp.fetch(url2,param2);
    if(rep.getResponseCode() == 200){
      const user = JSON.parse(rep.getContentText())
      console.log(JSON.stringify(user))
      console.log('Expiration : '+ user.roles[0].expiryDetail.expireTime)
    }else{
      console.log('User no longer in the group.')
      console.log('Error : ' + rep.getResponseCode())
      console.log('Details : ' + rep.getContentText().split('title')[1])
 //     console.log('Full details : ' + rep.getContentText())
    }
}

Conclusion

This membership expiration brings new capabilities to Google Groups, with security groups and dynamic groups we have more features to add automation in the Google Groups management for Google Workspace administrators.

For running the code it is better to copy/paste all the code in GitHub : code link.