Integrating SailPoint with G Suite

Revised Date: 26 April, 2022

Google Workspace is the new name for G Suite.

You must purchase Cloud Access Management to access and use this connector to govern your cloud environments. Contact your SailPoint CSM to request access.

The SailPoint G Suite Source now manages accounts, groups and roles from all available domains of G Suite for Business, Education, or ISP provided that service account mentioned in application configuration has sufficient access to those domains.

The Source consists of a number of features like managing Gmail Delegates for accounts, moving user from one Organizational Unit to another, managing large number of account and group attributes.

SailPoint G Suite Source now uses the standard Exponential Back Off strategy recommended by Google for error-handling during aggregation.

G Suite Source is enhanced to manage Identity and access management (IAM) in Google Cloud Platform (GCP). Google Cloud Platform is a suite of public cloud computing services offered by Google. The platform includes a range of hosted services for compute, storage and application development that run on Google hardware. Customers will need to have Cloud Access Management(CAM) license to enable Cloud Governance features of this connector.

SailPoint G Suite Source now manages accounts, groups and roles for the GCP organization infrastructure. The connector consists of a number of features like managing multiple types of users, user access across multiple resources aka IAM policy of the resource.

  • The G Suite source now supports managing the following Google Cloud objects:

    • Google Account (G Suite Identities + managed Cloud Identities only)

    • Service account

    • Domain (G Suite OR Cloud Identity domain)

    • Google group

  • The G Suite source also supports the following authentication and authorization methods:

    • Client Credentials (OAuth 2.0 for Web Server Applications)

    • Service Account (OAuth 2.0 for Server to Server Applications)

  • The G Suite source now supports multiple group objects. Entitlement aggregation is supported for the following:

    • Groups

    • Roles

    • IAM Role

    • Project

    • Folder

    • Resource Permission

  • The G Suite Groups are both account type and entitlement in GCP support. GCP entitlement resource permission can be assigned to G Suite Groups. For more information, see Supported Features.

  • The G Suite source now supports provisioning an account with locations attribute. The locations attribute defines a list of the user's locations and it is a multi-valued complex attribute. The locations attribute can have values such as {"area": "Mountain View", "buildingId": "D1", "deskCode": "Desk1", "floorName":"First Floor", "floorSection":"B", “type”:”desk”}

  • For the G Suite source now the delta aggregation is not applicable for the attributes (for example, isEnrolledIn2Sv) that correspond to the USER_ENROLLED_IN_TWO_STEP_VERIFICATION event because these are not fetched by the managed system's G Suite API.

  • The G Suite (Google Workspace) source now supports filtering of user records during the full and delta account aggregation. See the Advanced Settings section for details.

  • The G Suite (Google Workspace) source now supports HTTP and HTTPS proxy configurations.