Documentation

Google Workspace Directory

Suggest Edits

Overview

Google Workspace is a collection of cloud computing, productivity, and collaboration tools, software, and products developed by Google. It consists of Gmail, Contacts, Calendar, Meet, and Chat for communication; Currents for employee engagement; Drive for storage; and the Google Docs Editors suite for content creation.

Entitle populates the following resource types in the Google Workspace Directory connections:

  • Groups
  • Users
  • Managers (optional)

This page will provide you with instructions on how to integrate Entitle and Google Workspace as a Directory.

General guidelines

Note: In case you have already integrated the Google Workspace application with Entitle using this guide, the steps on this page are identical to it.

To integrate your Google Workspace in Entitle, you will need to run the entitle_google_integrator set up you have downloaded and unzipped on the Google Integrations page, and configure a Domain-Wide Delegation.

Set up Google Workspace to work with Entitle

Stage 1: Run the setup script

The setup will consist of the following actions:

  • Create an Entitle service account in the chosen project
  • Enable the required API service for the integration:
  • Generate a key for the service account and download it to your local machine
  1. Go to your GCP web console.
  2. Choose the project that you chose to create Entitle's service account at the top left corner.
  3. Click on the shell icon at the top right corner.
  1. Navigate to the path of the unzipped folder entitle_google_integrator, and run the following commands:
# For a basic configuration, create a service account in the current project and assign the role to it at the project-level
bash run.sh -i workspace -k

# For more options use the -h flag
bash run.sh -h
  1. Download the created JSON file on setup completion, you will use it later in this guide.

Stage 2: Configure Domain-wide delegation

Your service account needs to have domain-wide delegation on a certain scope.

  1. Go to the Manage Domain-Wide Delegation page.
  2. Click Add new.

  1. In the Client ID field, enter the 21-digit number obtained from the key JSON file under the client_id field.

  2. In the OAuth scopes field, enter the following scopes.

    https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.group.readonly, 
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.readonly,

// This scope is required to allow Entitle to get webhooks on changes in your Workspace
https://www.googleapis.com/auth/admin.reports.audit.readonly

// These scopes are optional and used for managing admin roles:
https://www.googleapis.com/auth/admin.directory.rolemanagement,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

Note: You may enter only the .readonly scopes if you only wish to read the permissions. In that case, you will have to set "read_only": true in the Options field (will be discussed later on in this guide).

  1. Click Authorize.

Connect your IDP in Entitle

All that is left to do is connect your IDP to the Entitle application.

  1. Log into Entitle and navigate to the Org Settings page.
  2. Under the Connect To section, navigate to the Google option, and click Connect.
  1. In the pop-up window Configure Google, fill in the required details:
  • Display Name of your choice.
  • In the Connection JSON template below, paste the service account key details from the JSON file you have downloaded in stage 1 of this guide.
  • Credential Subject - Enter an email of an admin in your organization who has permission to view all users and groups in your organization.
  • If you wish to add managers’ approval as a part of the approval process of Access Requests or to select managers as the User Access Review reviewers - check the Use as direct manager source checkbox.
  • Finally, don’t forget to set the Save on field with your configuration, i.e. your own hosted agent or Entitle’s cloud. Click Save, you are done!🎉

Test your IdP connection

  1. After being redirected to the Org Settings page, you should be able to see that the Google Directory is now Connected.

  1. Within a few minutes, refresh your browser page and go to the Workflows tab. Then, click on New Workflow. You should now be able to see all the groups are fetched, and you are done!

Updated about 1 month ago