Google Workspace
This connector exports and fulfills users and groups from/to a Google Workspace instance.
This page is about Directory/Google Workspace.
Overview
Google Workspace provides a set of softwares and products developed by Google. The Google Workspace connector exports and fulfills users and groups from/to a Google Workspace instance. It exports user-group memberships too.
Prerequisites
Implementing this connector requires:
-
reading first the appsettings documentation;
-
a service account impersonating the following permission scopes: https://www.googleapis.com/auth/admin.directory.user and https://www.googleapis.com/auth/admin.directory.group.
See Google's documentation to create the service account with the right impersonation.
Caution: Google's documentation describes this procedure as optional, while the Google Workspace connector requires it.
Export
This connector extracts users, groups and user-group memberships from a Google Workspace instance, and write the output to CSV files.
Configuration
This process is configured through a
connection
in the UI and/or the XML configuration, and in the appsettings.agent.json > Connections section:
appsettings.agent.json
{
...
"Connections": {
...
"<ConnectionIdentifier>": {
...
}
}
}
The identifier of the connection and thus the name of the subsection must:
- be unique.
- not begin with a digit.
- not contain
<,>,:,",/,\,|,?,*and_.
For example:
appsettings.agent.json
{
...
"Connections": {
...
"GoogleExportFulfillment": {
"CredentialsFilePath": "C:/identitymanagerDemo/GoogleCredentials.json",
"User": "B29607@acme.internal",
"PageSize": "100"
}
}
}
Setting attributes
| Name | Details |
|---|---|
| CredentialsFilePath required | Type String Description Path of Google Workspace's JSON credentials file. See Google's documentation to create these credentials. |
| User required | Type String Description Email address of the service account mentioned in the prerequisites section. |
| --- | --- |
| PageSize default value: 50 | Type Int32 Description Number of items, i.e. users and/or groups and/or memberships, retrievable from Google Workspace by each API call (from 1 to 500). |
Output details
This connector is meant to generate to the ExportOutput folder the following CSV files:
GoogleExportFulfillment_Users.csvandGoogleExportFulfillment_Groups.csvwhose headers come from the entity type mapping'sConnectionColumnand from the entity association mappings' columns which are not members columns;GoogleExportFulfillment_Members.csvwith the following columns:- value: ID of the group;
- MemberId: ID of the group member.
If the connection column describes a sub-property, then the name should have the following pattern:
{property}:{sub-property}. The character ":" should not be used in other situations.
For example:
<EntityType Identifier="GOOGLE_Entry" DisplayName_L1="GOOGLE - Entry" DisplayName_L2="GOOGLE - Entr�e"> <Property Identifier="AgreedToTerms" DisplayName_L1="AgreedToTerms" Type="String" /> <Property Identifier="FamilyName" DisplayName_L1="FamilyName" Type="String" /></EntityType><EntityTypeMapping Identifier="GOOGLE_Entry" Connector="GOOGLE" ConnectionTable="GOOGLE_Users"> <Property Identifier="AgreedToTerms" ConnectionColumn="AgreedToTerms" /> <Property Identifier="FamilyName" ConnectionColumn="Name:FamilyName" /></EntityTypeMapping>Note that we have here
AgreedToTermswhich is a single property, andFamilyNamewhich is a sub-property ofName, hence the nameName:FamilyNameas theConnectionColumn.
Fulfill
This connector can write to Google Workspace to create, update, and/or delete users and user-group memberships.
Configuration
Same as for export, fulfill is configured through connections.
For example:
appsettings.agent.json
{
...
"Connections": {
...
"GoogleExportFulfillment": {
"CredentialsFilePath": "C:/identitymanagerDemo/GoogleCredentials.json",
"User": "B29607@acme.internal"
}
}
}
Setting attributes
| Name | Details |
|---|---|
| CredentialsFilePath required | Type String Description Path of Google Workspace's JSON credentials file. See Google's documentation to create these credentials. |
| User required | Type String Description Email address of the service account mentioned in the prerequisites section. |
Authentication
Password reset
This connector does not reset passwords.
Credential protection
This connector has no credential attributes, and therefore does not use RSA encryption, nor a CyberArk Vault.
Still, data protection can be ensured through an Azure Key Vault safe.
Google Workspace
Manages Google Workspace entities.
| Package Characteristics | Value |
|---|---|
| Display Name | Directory/Google Workspace |
| Identifier | Usercube.GoogleWorkspace@0000001 |
| Export | Usercube-Export-GoogleWorkspace.dll |
| Fulfill | Usercube-Fulfill-GoogleWorkspace.dll |
| Has Incremental Mode | False |
| Publisher | Usercube |