Project Atlas AetherDev project hub
Atlas project development

Google Group Expansion + 2SV Status Reporter

Turn nested group membership into a security-ready roster with 2SV status. It ingests master group name; directory/group memberships; user 2SV status and produces sheet tab report of users and 2SV status; expanded membership listing.

Type
Field Tool
Lifecycle
Active
Last touched
2025-01-09
Visibility
Public
Why it's showcased

Turns nested group membership into actionable 2SV visibility for security and access reviews.

Purpose

Turn nested group membership into a security-ready roster with 2SV status.

Current state

Design is clear; scaling constraints are known and require resumable execution.

Next step

Add checkpointing so long runs can resume across executions.

Interfaces

Inputs
  • master group name
  • directory/group memberships
  • user 2SV status
Outputs
  • sheet tab report of users and 2SV status
  • expanded membership listing

Reality to Action trace

Reality Ingestion

Contributes in this stage.

Canonical Storage

Not in scope.

Automation Engines

Not in scope.

Human Interfaces

Contributes in this stage.

Operational Adoption

Contributes in this stage.

Core workflow

  1. Input master group name and start the run.
  2. Expand nested group membership recursively.
  3. Batch users to stay within Apps Script limits.
  4. Query user profiles and 2SV status.
  5. Write results to a report tab.
  6. Checkpoint progress for resume.
  7. Generate a summary count for compliance.

Data integrity and contracts

Canonical schema definitions

  • Report sheet schema (email, name, org unit, 2SV status, group path).
  • Config tab schema (group name, batch size).
  • Checkpoint state record (last index, timestamp).

Source of truth rules

  • Google Directory is canonical for membership and 2SV state.
  • Sheet is the reporting surface, not a system of record.

Data quality checks

  • Deduplicate users discovered via nested groups.
  • Validate total count against membership expansion.
  • Flag missing user profiles or API errors.

Safe handling

  • Restrict report sheet access to admins.
  • Avoid exporting PII beyond the sheet.
  • Use admin scopes only for the run.

Downstream integration map

  • Security and compliance reporting.
  • MFA enforcement and follow-up.

Operational notes

Reliability posture

Needs batching and resume support due to Apps Script time limits.

Observability

  • script logs
  • progress markers (recommended)

Security and privacy

PII present; restrict sheet access.

Dependencies

Upstream
  • Admin privileges
  • Google Workspace directory
Downstream
  • MFA/2SV enforcement workflows
  • security reporting

Ownership

Owners

Josh Barton

Users

IT admin, Josh Barton (owner)