View or edit on GitHub

This page is synchronized from doc/G-Suite.md. Last modified on 2025-12-09 00:30 CET by Trase Admin. Please view or edit the original file there; changes should be reflected here after a midnight build (CET time), or manually triggering it with a GitHub action (link).

Trase G-Suite

Trase has a G-Suite account under the @trase.earth domain. This account is used for various things across Trase.

• Billing
• Email
• User Accounts and Organizational Units
• Adding a new user
• Step 1: email alias
• Step 2 (optional): user account
• Google Cloud, OAuth2
• Shared inboxes (info@, media@, etc.)

Billing

The account has an NGO discount applied to it. Ian Caldwell (ian.caldwell@sei.org) handles the invoices. He has his own user account and is assigned as the billing manager

Email

We have disabled Gmail for (almost) all users. Instead, emails are handled using default routing rules. Doing this has two benefits:

• Emails are always forwarded to the user's @sei or @globalcanopy address: users do not have the burden of a separate @trase.earth email inbox that they have to monitor.
• We do not necessarily need to create a fully-fledged G-Suite user for everybody who needs an email address. This saves us money! Routing rules are free but user accounts cost a little.

However, it also has the drawback that users are not able to send emails from their @trase.earth accounts. This so far has not been a requirement, so the tradeoff is worth it.

User Accounts and Organizational Units

There is a fairly simple setup of "organizational units", which are used to apply policies across the organisation. Lower units inherit from higher ones:

Organizational Unit	Notes
trase.earth	Parent organizational unit
↳ No Gmail	Members of this unit have Gmail disabled. See Email for more information.

By default all members should be part of the "No Gmail" child unit.

Adding a new user

Step 1: email alias

This is important to ensure that emails to job.bloggs@trase.earth go to the user's actual email address, since we do not maintain separate inboxes for @trase.earth emails.

1. Navigate to Admin Console > Apps > Google Workspace > Gmail > Default Routing.
2. Click "Add another rule".
3. In the modal provide the following:
   • Under "1. Specify envelope recipients to match"
   • Leave as "Single recipient"
   • Under "Email address" enter name.surname@trase.earth
   • Under "2. If the envelope recipient matches the above, do the following"
   • Leave as "Modify message"
     • Under "Envelope recipient"
     • tick "Change envelope recipient"
       • Under "Replace recipient" enter original email (jon.doe@sei.org, s.doe@globalcanopy.org, etc.)
     • Under "Spam"
     • tick "Bypass spam filter for this message"
   • Under "3. Options"
   • tick "Perform this action on non-recognized and recognized addresses". This ensures that even if a user account for this email address exists, the routing rule will still be applied
4. Send a test email to name.surname@trase.earth. Contact the user and ask them to confirm that the email arrived in their usual inbox.

Step 2 (optional): user account

This is only required if the user requires access to a Google service, such as OAuth2 (for Metabase, etc.). If that is not the case there is no need to create a user account: not doing so will save us money.

1. Go to Users > Add new user.
2. Fill in all fields, using the convention firstname.lastname@trase.earth for the email.
3. Expand "Manage user's password, organizational unit, and profile photo" and set the organisational unit to "No Gmail".
4. Complete the wizard and send out the email to the user.
5. Contact the user and ask them to (a) confirm that they can sign in to their acccount and (b) to complete the enrollment to 2FA. They will only have one week (configurable here) to enroll in 2FA; if they don't do this, they will be locked out.
6. Set up an email alias for them (see Email).

Google Cloud, OAuth2

We use some aspects of Google Cloud:

• The Places API used by the dopastoaoprato app.
• The app developer account for the dopastoaoprato app, which allows us to distribute it on the Android Play Store.
• OAuth2 for Metabase, Splitgraph, and AWS Client VPN. It is very important that these OAuth credentials are set to "Internal". If it was "External" then anybody with a Google account could access our internal services like Metabase!

Shared inboxes (info@, media@, etc.)

The G-Suite equivalent of a "shared" inbox is to use Google Groups. We use Google groups for email addresses such as info@trase.earth and media@trase.earth. The key configuration settings which enable this are as follows:

• Enable additional Google Groups features > No additional features
• Allow external members > ON and Who can post > Anyone on on the web to ensure that anybody in the world is able to send an email to the group
• Who can view conversations > Entire organisation to ensure that anybody in Trase is able to view the emails
• Allow Email Posting > Allow email posting to ensure that anybody in the world can simply send an email to the address