Supported Features

The SailPoint Google Workspace connector supports the following features:

Note
Before you can use any item marked with an asterisk (*), SailPoint must activate the feature for your site.

  • Load Google Workspace accounts

  • *Provision Google Workspace accounts

  • Delta Aggregation

  • *Access Certifications (certification of entitlements connected to accounts)

  • HTTP and HTTPS proxy configurations

  • Filtering of user records during full and delta aggregation. For more information, refer to Domain and Aggregation Settings.

For more information on features, refer to IdentityNow Source Features.

Multiple Account Type Support

Feature

Users

Google Workspace

GCP (User types supported as part of GCP Support)

Google Workspace User/ Cloud Identity

Service Account

Domain

Aggregate

Create

Password Management

NA

NA

Enable and Disable

NA

Archive and Unarchive

NA

NA

Group Entitlements (Read, Request, and Revoke)

groups, roles, and resource permission

resource permission

resource permission

Note
The Google Workspace user Archive and Unarchive features are only applicable to Google Workspace users from the managed system itself. This doesn't apply to other account types.

Group Entitlements

IdentityNow is capable of aggregating additional details of Group Entitlements from the managed system. These objects have a separate schema which defines a list of attributes. Aggregation tasks fetch the defined attributes as additional details when it runs aggregation processes for a specific Group Entitlement type.

Supported Google Workspace objects include:

  • Groups

  • Roles

Supported GCP objects are:

  • IAM Roles

  • Projects

  • Folders

  • Resource Permissions

Important
Refer to Using Multiple Group Entitlements with a Preexisting Connector for more information.

Google Workspace Groups are both accounts and entitlements in GCP support. GCP entitlement resource permissions can be assigned to Google Workspace Groups.

Note
Only Group, Role, and Resource Permissions can be requested as multiple group entitlements.

Support for Managing Google Cloud Objects

The Google Workspace connector can manage the following Google Cloud objects:

  • Google Accounts

    (Google Workspace Identities + managed Cloud Identities only)

  • Service Accounts

  • Domains

    (Google Workspace or Cloud Identity Domain)

  • Google Groups

Supported Authentication Methods

The Google Workspace connector supports the following authentication and authorization methods:

  • Client Credentials (OAuth 2.0 for Web Server Applications)

  • Service Account (OAuth 2.0 for Server to Server Applications)

Support for Multiple Group Objects

The Google Workspace connector supports multiple group objects. Entitlement aggregation is supported for the following:

  • Groups

  • Roles

  • IAM Roles

  • Projects

  • Folders

  • Resource Permissions

Supported Features Comparison with Cloud Governance

Important

If you want to enable additional cloud governance features (for example, visualization of effective access) for your GCP Cloud Infrastructure, you must have a CIEM license. If you already have a CAM license, no additional license purchase is required. Contact your SailPoint Customer Success Manager to request access and for more information.

Supported Features

Google Workspace Connector (Standard Features)

Google Workspace Connector (With Cloud Governance)

Account Management

  • Manage Google Workspace Users as Accounts

  • Aggregate, Refresh Accounts, Aggregate and Provision Custom Schema Attributes

  • Create, Update, and Delete

  • Enable, Disable, and Change Password

  • Add and Remove Entitlements

  • Manages Delegated Administrators and Alias on Accounts

  • Move User to Other Organization Unit

Yes

Yes

Group Management

  • Manage Google Workspace Groups as Account - Groups

  • Aggregate and Refresh Group

Yes

Yes

Role Management

  • Manage Google Workspace Roles as Account - Roles

  • Aggregate and Refresh Roles

  • Create, Update, and Delete

Yes

Yes

IAM Role Management

  • Manage GCP IAM Roles as IAMRole

  • Aggregate and Refresh Role

  • Create, Update, and Delete

No

Yes

Project Management

  • Manage GCP Project as Project

  • Aggregate and Refresh

  • Manages Delegated Administrators (Supported with Service Account Authorization Only) and Alias on Accounts

No

Yes

Folder Management

  • Manage GCP Folder as Folder

  • Aggregate and Refresh

No

Yes

IAM Resource Permission Management

  • Manage GCP Resource Permission as iamResourcePermission

  • Aggregate and Refresh

No

Yes