# 39 Directory minimization for targeted staff

> v0.0.3 · role: Prevent · edition: All (edition gate unverified) · [policy: #15 · #30 (gap G5)](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

The Workspace directory is an enumeration surface: any account inside the tenant, including a compromised one, can list users, aliases and extended profile fields, and Gmail will autocomplete them. This control narrows what is published (primary address only), narrows who is discoverable (a custom directory rather than the whole tenant), and hides named high-risk individuals, decoy accounts and the vault account from the directory entirely.

Documentation: [Overview: Set up and manage the Directory](https://knowledge.workspace.google.com/admin/users/overview-set-up-and-manage-the-directory)

## Caveats

- Hiding a user from the directory does not hide them from Vault, audit logs or group membership listings — and a group they belong to can still expose them.
- Propagation takes up to 24 hours, and Gmail autocomplete caches on the client for longer — a name that still appears is not proof the setting failed.
- Custom directories may not be available on every edition — if the option is absent on your tenant, fall back to per-user Directory sharing = Off.

## Setup steps

1. Decide what profile data is published to the Directory at all. For a targeted-staff threat model, stop sharing domain/alias addresses and extended profile fields. — `Directory › Directory settings › Sharing settings › Contact sharing`

   - **Contact sharing** = ON only for primary address
   - **alias + domain addresses** = not shared

   docs: [Turn Directory on or off](https://knowledge.workspace.google.com/admin/users/turn-directory-on-or-off)

2. Restrict who is discoverable. 'Users in a custom directory' scopes visibility to a group rather than the whole tenant. — `Directory › Directory settings › Visibility settings`

   - **Directory visibility** = Users in a custom directory (or No users for the highest-risk OU)

   docs: [Control who users can find in the Directory](https://knowledge.workspace.google.com/admin/users/control-who-users-can-find-in-the-directory) · [Customize a directory for a team or group](https://knowledge.workspace.google.com/admin/users/customize-a-directory-for-a-team-or-group)

3. Signed in as a super administrator, turn off Directory sharing on each named high-risk individual's user record so they do not autocomplete for other tenant members. — `Directory › Users`

   - **Directory sharing** = Off (hidden from the Directory)

   docs: [Hide a user from the Directory](https://knowledge.workspace.google.com/admin/users/hide-a-user-from-the-directory)

## Ongoing maintenance

- **[requires a human]** On role changes: keep the protected-person set current.

## How to verify

1. As an ordinary test user, search the directory for a protected person — the entry should be hidden or reduced. Tests the real exposure with the least possible access.

## Settings screens

- Directory > Directory settings (Sharing settings / Visibility settings)
  - console: https://admin.google.com/ac/managedsettings/986128716205
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/986128716205.png
- Directory > Users > [user] > User information > Directory sharing (hide the individual)
  - console: https://admin.google.com/ac/users
  - screenshot: ../screenshots/admin.google.com/ac/users.png
