Google Cloud Directory Group Names
For Google Cloud Directory, PaperCut NG/MF distinguishes between qualified and unqualified group names. The term “unqualified” refers to the plain group name itself, while “qualified” group names also include the domain name:
When synchronizing users, PaperCut NG/MF imports and stores groups with their unqualified name. If a group with the same name exists in more than one domain, this can cause name clashes. Group members from all domains would be imported into only one group in PaperCut NG/MF. Permissions granted to such a group subsequently apply to users from all domains.
To allow more fine-grained control, PaperCut NG/MF uses qualified group names for user sources, which meet all of the following criteria:
The user source is a Google Cloud Directory.
Users are imported from more than one domain.
Qualified usernames are enabled (that is, the email address is used as the username).
PaperCut NG/MF continues to use unqualified group names for all user sources that don’t meet all of these prerequisites.
A common scenario is to start synchronizing users from a single domain and add more domains later on.
When synchronizing only one domain, groups are created with their unqualified name. These groups might be granted access to accounts and scan actions. When adding more domains later on, groups would be created with qualified names instead. All members would be moved over to the new groups and lose the permissions along the way.
To prevent this from happening, PaperCut NG/MF converts groups when transitioning from single- to multi-domain:
If a group also exists in the other user source, it is split. For example, if the group is
employees, a new group named
firstname.lastname@example.org created. This new group carries over all permissions of the original
employeesgroup. During the next synchronization, members from the multi-domain user source are moved from
If only one user source is used, or if a group doesn’t exist in (or isn’t synchronized from) the other user source, then the group is simply renamed (for example,
email@example.com). All group members and permissions are preserved.
The conversion is performed only once, when switching from single- to multi-domain. If domains are removed later on, the user source will continue to use qualified group names (even if it’s single-domain again). This is necessary because a reverse conversion would require groups to be merged and might lead to some group members inadvertently losing or gaining permissions along the way.
PaperCut NG/MF requires the groups to be converted when adding more domains to a previously single-domain Google Cloud Directory. When adding domains and when trying to save the changes, a warning will be displayed:
Click Convert groups. PaperCut NG/MF saves the changes after the conversion has been performed. A pop-up window is displayed, showing the progress:
After the conversion has been completed, go back to Options > User/Group Sync and add the additional domain(s).