Prerequisites

• Configure at least one virtual appliance cluster and successfully test the connection. For instructions, refer to the Virtual Appliance Reference Guide.

• A working instance of a Google Workspace source.

• Ensure that you perform the following steps before generating a Client ID, Client Secret, Refresh Token for Client Credentials, and Private Key for Service Account:

  1. Ensure that GCP Organization is available.

  2. Create a project in Google Cloud Platform Console (either a user with Super Admin or Project Creator privileges should create the project).

  3. Select APIs & Services > Library in the left sidebar to enable the API for the following:

     • Admin SDK API

     • Groups Settings API

     • Identity and Access Management (IAM) API

     • Cloud Resource Manager API

     • Cloud Asset API

  For more information on generating the Client Credentials and Service Account, refer to Generating OAuth 2.0 Authentication Credentials.

• Assign API access permissions to Google Workspace user via roles as follows:

  • Client Credentials – API access is done on behalf of the Google Workspace user under whose context the credentials are generated, who gives consent while generating the refresh token. For more information on required roles, refer to Required Roles for Google Workspace and GCP Management.

  • Service Account – API access is done on behalf of an impersonating user. In other words, roles assigned to the impersonating user take priority over the roles assigned to the Service Account. For more information on required roles, refer to Required Roles for Google Workspace and GCP Management.

  Required Roles for Google Workspace and GCP Management

  Required Roles for Google Workspace User, Group, and Roles Management:

  • For Google Workspace User and Groups Management: User Management Admin Role and Group Admin Role.

  • For Google Workspace Roles Management: Super Admin Role.

  Required GCP IAM Roles for GCP Management:

  • Cloud Asset Viewer

  • Organization Role Administrator

  • Service Account Admin

  • Folder Admin

  • Organization Administrator

  • Project IAM Admin

  • Super Admin Role (for IAM Role Management and Domain Management)

  Required granular permissions for the user can be assigned through Service Account Scopes and Built-in Roles for Impersonate User or Service Account Scopes and Custom Roles for Impersonate User .

Google Reference Documents

Note
The documents listed in this section are not managed by SailPoint, and are subject to change without notice.

For more information about the above-listed prerequisites, refer to the following links:

• GCP Organization – https://cloud.google.com/resource-manager/docs/creating-managing-organization

• Admin SDK API – https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites

• Groups Settings API – https://developers.google.com/admin-sdk/groups-settings/prerequisites

• Identity and Access Management (IAM) API – https://cloud.google.com/iam

• Cloud Resource Manager API – https://cloud.google.com/resource-manager

• Cloud Asset API – https://cloud.google.com/asset-inventory/docs/quickstart