Documentation

Google Workspace

Suggest Edits

Overview

Google Workspace is a collection of cloud computing, productivity, and collaboration tools, software, and products developed by Google. It consists of Gmail, Contacts, Calendar, Meet, and Chat for communication; Currents for employee engagement; Drive for storage; and the Google Docs Editors suite for content creation.

Entitle can manage groups and admin roles in Google Workspace.

This page will provide you with instructions on how to integrate Entitle and Google Workspace.

General guidelines

Note: In case you have already integrated the Google Workspace as a Directory with Entitle using this guide, the steps on this page are identical to it.

👉🏼 To integrate your Google Workspace in Entitle, you will need to run the entitle_google_integratorset up that you have downloaded and unzipped on the Google Integrations page, and configure a Domain-Wide Delegation.

Set up Google Workspace to work with Entitle

Stage 1: Run the setup script

The setup will consist of the following actions:

  • Create an Entitle service account in the chosen project
  • Enable the required API service for the integration:
  • Generate a key for the service account and download it to your local machine
  1. Go to your GCP web console.
  2. Choose the project that you chose to create Entitle's service account at the top left corner.
  3. Click on the shell icon at the top right corner.
  1. Navigate to the path of the unzipped folder entitle_google_integrator, and run the following commands:
# For a basic configuration, create a service account in the current project and assign the role to it at the project-level
bash run.sh -i workspace -k

# For more options use the -h flag
bash run.sh -h
  1. Download the created JSON file on setup completion. you will use it later in this guide.

Stage 2: Configure domain-wide delegation

Your service account needs to have domain-wide delegation on a certain scope.

  1. Go to the Manage Domain-Wide Delegation page
  2. Click Add new.

  1. In the Client ID field, enter the 21-digit number obtained from the key JSON file under the client_id field.

  2. In the OAuth scopes field, enter the following scopes.

    https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.group.readonly, 
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.readonly,

// This scope is required to allow Entitle to get webhooks on changes in your Workspace
https://www.googleapis.com/auth/admin.reports.audit.readonly

// These scopes are optional and used for managing admin roles:
https://www.googleapis.com/auth/admin.directory.rolemanagement,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

Note: You may enter only the .readonly scopes if you only wish to read the permissions. In that case, you will have to set "read_only": true in the Options field (will be discussed later on in this guide).

  1. Click Authorize.

Creating the integration in Entitle

All that is left to do is to create an integration on the Entitle application.

  1. Log into Entitle and navigate into the Integrations page.
  2. After clicking the Add Integration button, type Google Workspace in the Application field.
  3. In the Connection drop-down choose Explicit Service Account.
  4. Don’t forget to set Save on correctly on your agent or Entitle’s cloud.
  1. Under the service_account_key field, paste the downloaded key JSON of your service account.
  2. Under credential_subject enter an email of an admin in your organization which has permission to view all users and groups in your organization.
  3. If the Domain-Wide-Delegation for managing groups was set as .readonly for this integration, please add "read_only": true under the "options" field.
  4. If you wish to manage admin roles, set "include_admin_roles": true under the "options" field (make sure you authorized the rolemanagement scopes in Stage 2, step 4).

Example Connection JSON:

{
  "service_account_key": {
    // A dictionary from the downloaded JSON file
  },
  "credential_subject": "an email of an admin in your organization which has permission to view all users and groups",
  "options": {
    "read_only": false,
    "include_admin_roles": false
  }
}
  1. Click Save, you are done!🎉

Updated about 1 month ago

What’s Next