Additional Configuration Parameters

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

You can add the following attributes to your source XML by using the REST APIs :

In the body of the POST, use the form-data as follows:

  • Key – attribute name

  • Value – attribute value

  • The connector supports aggregation statistics logging, which is enabled by default in cases where the log level is set to Debug.

    Aggregation statistics logging can be disabled by adding the disableStatistics to the source XML using the REST APIs:

    In the body of the POST, use the form-data as follows:

    • Key – disableStatistics

    • Value – true

  • Configure the following attributes to transfer data of Google Applications before account deletion by updating the source XML using the REST APIs:

    List of Google Workspace apps that need to be excluded from data transfer.

    By default, it contains Calendar and None. At least one entry (None) must be present in the list.

    This is a boolean flag that indicates if data transfer is performed after account deletion.

    List of relations required to be checked by the owner of the data as per the provided sequence. This attribute is used when newOwner is not provided in the provisioning form.

    Example values:

    • manager

    • assistant

    • father

  • The connector supports a configurable page size for Group and Role by adding the following entries in the source XML using the REST APIs:

    Number of records per page for Group Aggregation. The default value is the value provided in the Page Size field. For more information, refer to the Domain and Aggregation Settings topic. Maximum value: 200

    Number of records per page for Role Aggregation. The default value is the value provided in the Page Size field. For more information, refer to the Domain and Aggregation Settings topic. Maximum value: 100

  • The connector supports account type configuration using the accountTypes attribute which creates a list of Account types you want to manage. If provided, Account Aggregation aggregates according to the configured list. By default, the connector aggregates all three account types (users, serviceAccount, and domain).

  • fetchCustomIamRolesOnly – Boolean/String. Fetches only custom roles during aggregation, when set as true. It skips all predefined roles.

  • aggregateGARolesOnly – Boolean/String. Fetches GA'ed roles during aggregation, when set as true. It skips roles in different stages like alpha, beta, etc.

  • iamRoleView – String. Possible values are FULL or BASIC. FULL is the default value, which brings all permissions along with roles during aggregation. When set to BASIC it skips the includedPermission attribute.

  • iamRolePageSize – Page size for role API. The default is 300. Maximum is 1,000

  • serviceAccountPageSize – Page size for the Service Account API. If not provided, the default is 100. Max is 500

  • assetSearchPageSize – Page size for the Cloud Asset API. If not provided, the default is 500. Max is 500

  • Delta aggregation:

    • Only supported for the User account type. It is the same as the existing delta aggregation in the connector. The Service Account and Domain account types do not support delta aggregation and therefore full aggregation is performed.

    • The connector retrieves accounts and groups on the basis of Activity Events.
      The following table lists the default events considered by the Google Workspace connector and the respective key that can be added in the source XML using the REST APIs to override the default activity events:

      Delta Aggregation Type

      Events

      Key

      Account Delta Aggregation

      ADD_NICKNAME,CHANGE_USER_RELATION,CHANGE_USER_ORGANIZATION,CHANGE_USER_IM,CHANGE_LAST_NAME,CHANGE_FIRST_NAME,CHANGE_PASSWORD_ON_NEXT_LOGIN,MOVE_USER_TO_ORG_UNIT,REMOVE_NICKNAME,RENAME_USER,SUSPEND_USER,UPDATE_BIRTHDATE,CHANGE_PASSWORD,UNDELETE_USER,UNSUSPEND_USER,CHANGE_USER_CUSTOM_FIELD

      accountUpdateEvents

      Event names can be selected from the following Google Workspace documentation page:

      Admin Audit Activity Events - User Settings

      Group Delta Aggregation

      CHANGE_GROUP_SETTING,CHANGE_GROUP_DESCRIPTION,CHANGE_GROUP_NAME,DELETE_GROUP,REMOVE_GROUP_MEMBER

      groupUpdateEvents

      Event names can be selected from the following Google Workspace documentation page:

      Admin Audit Activity Events - Group Settings

  • When GCP support is enabled, the connector fetches both searchable resource types, cloudresourcemanager and iam, by default. To limit the number of entitlements, you can configure the connector to fetch one or the other.

    • Enter the following in the source XML using PATCH to fetch iamResourcePermission for only the iam resource type (which consists of Service Accounts ):

      Copy 
      [
          {
              "op": "add",
              "path": "/connectorAttributes/searchableResourceTypes",
              "value": "iam"
          }
      ]

    • Enter the following in the source XML using PATCH to fetch iamResourcePermission for only the cloudresourcemanager resource type (which consists of Organization, Folders, and Projects):

      Copy 
      [
          {
              "op": "add",
              "path": "/connectorAttributes/searchableResourceTypes",
              "value": "cloudresourcemanager"
          }
      ]