I work at a fairly large company (65k+ users) which has massively adopted Google G Suite and I work with the G Suite admin team to architect our environment. One of the things I'm struggling with is how Google manages the organizational structure in its identity tools.
From what I understand, Google features are enabled/disabled purely on an OU-basis, and a user cannot belong to more than one OU. So if we need to selectively manage some features for certain subsets of users, we end up having to essentially duplicate our entire OU structure to account for people who should have this new feature, and those that shouldn't.
This has made our OU structure prohibitively large, and we're actually contemplating creating an entirely separate account structure (or even structures plural) in a new domain to manage backend services (typically from GCP) that only a few users should have access to (e.g., Adwords) because there doesn't seem to be any reasonable way to do this in our existing hierarchy.
Is there an official Google solution to support managing feature activation on a large user base where each feature may have distinct user populations?
Best Answer
You are right.
Note: Some services like AdWords now have ways to collaborate with others, but this allows collaboration on certain assets not allow/disallow access to a Google service.
AFAIK there isn't an out-of-the-box solution, but the Directory API includes features to manage organizational units -> Directory API: Organizational Units
References