# 63 Travel-mode accounts

> v0.1.3 · role: Prevent · [policy: #25 · #14, #30](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

For a border crossing or a trip into a hostile jurisdiction, the traveller carries a sanitised identity: a travel account or travel OU with no admin roles, no Vault, no sensitive shared drives, a geo-restricted access policy and a short session. Access is granted by group, so moving the person between groups is the whole switch. The primary identity is suspended for the duration where the trip allows it, and its sessions and tokens are revoked on return before membership is restored.

## Caveats

- Suspension does not kill live sessions or issued OAuth tokens — revoke them explicitly, or the 'suspended' account keeps working.
- The runbook must be executable by someone other than the traveller — they may be detained, offline or coerced at the border.

## Setup steps

1. Pre-create a travel identity (or a travel OU — organizational unit) whose access is a strict subset: no Vault, no admin, no sensitive shared drives.

   Travel OU: Context-Aware Access geo policy (Enterprise Standard+, Education Standard+, Frontline Standard+, Enterprise Essentials Plus and Cloud Identity Premium; silently ignored on other editions) + short session length + no admin roles

   docs: [Protect your business with Context-Aware Access](https://knowledge.workspace.google.com/admin/security/protect-your-business-with-context-aware-access) · [Set session length for Google services](https://knowledge.workspace.google.com/admin/security/set-session-length-for-google-services)

2. On departure, swap the traveller out of the sensitive groups and into the travel group — access is by group, so the swap is the whole control. — `Directory › Groups`

   ```
   gam update group sensitive-team remove member user@…
   gam update group travel add member user@…
   ```

   docs: [Add or invite users to a group](https://knowledge.workspace.google.com/admin/groups/add-or-invite-users-to-a-group) · [Remove or ban users from a group](https://knowledge.workspace.google.com/admin/groups/remove-or-ban-users-from-a-group)

3. Suspend the primary identity for the duration if the traveller does not need it, and restore on return. — `Directory › Users`

   ```
   gam update user user@… suspended on|off
   ```

   docs: [Suspend a user temporarily](https://knowledge.workspace.google.com/admin/users/suspend-a-user-temporarily) · [Restore a suspended user](https://knowledge.workspace.google.com/admin/users/restore-a-suspended-user)

4. On return, force re-auth and revoke all existing sessions/tokens before restoring group membership.

   ```
   gam user user@… signout
   gam user user@… deprovision   # revokes tokens, app passwords and backup codes
   ```

   docs: [Sign a user out of a managed Google Account](https://knowledge.workspace.google.com/admin/devices/sign-a-user-out-of-a-managed-google-account)

## Ongoing maintenance

- **[automatable: script]** Per trip: provision the travel account before departure and destroy/rotate it on return.
- **[requires a human]** Per trip: brief the traveller and confirm the primary account lock.

## How to verify

1. Before a trip: confirm the travel account holds only the trip’s data, sits in the travel OU with its tighter CAA level, and the traveller’s primary account is suspended or locked for the duration.

## Settings screens

- Directory > Users (suspend / restore the travelling identity)
  - console: https://admin.google.com/ac/users
  - screenshot: ../screenshots/admin.google.com/ac/users.png
- Directory > Groups (swap the travel identity's group membership)
  - console: https://admin.google.com/ac/groups
  - screenshot: ../screenshots/admin.google.com/ac/groups.png
