Prerequisites

A working instance of a Google Workspace source.

OAuth 2.0 Authentication Methods

The Google Workspace SaaS connector uses the OAuth 2.0 protocol for API authentication and authorization supporting the following two scenarios:

Client Credentials (OAuth 2.0 for Web Server Applications)
Service Account (OAuth 2.0 for Server to Server Applications)

Note
SailPoint's Cloud Infrastructure Entitlement Management (CIEM) only supports Service Account as a grant type. For more information, refer to Service Account Authentication Settings

API Access Permissions via Roles

API access permissions are assigned to the Google Workspace user via roles, based on the type of credentials used:

Client Credentials: API access is performed on behalf of the Google Workspace user under whose context the credentials are generated. This user provides consent while generating the refresh token. For more information on required roles, refer to the Required Roles for Google Workspace and Google Cloud Platform (GCP) Management.
Service Account: API access is performed on behalf of an impersonating user. In this, the roles assigned to the impersonating user take priority over the roles assigned directly to the Service Account. For more information on required roles, refer to the Required Roles for Google Workspace and Google Cloud Platform (GCP) Management.

For more information on generating the Client Credentials and Service Account, refer to Generating OAuth 2.0 Credentials.

CIEM and Google Cloud Platform (GCP) Setup

Note
To enable advanced cloud governance features, such as the visualization of effective access for your GCP Cloud Infrastructure, a SailPoint CIEM license is required. For access and further details, contact your SailPoint Customer Success Manager.

Before proceeding with OAuth 2.0 credential generation for Service Account, ensure the following Google Cloud Platform (GCP) configurations are in place:

GCP Organization Availability: Verify that a GCP Organization is available.
Project Creation: Create a project at Organization level within the Google Cloud Platform Console. This step requires a user with either Super Admin or Project Creator privileges.
API Enablement: In the newly created or existing project, go to APIs & Services > Library and enable the following APIs:
- Admin SDK API
- Groups Settings API
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
- Cloud Asset API
Service Account Creation: Create a service account in GCP under the project. For more information, refer to Create Service Account and Generate Private Key.
Custom Role Creation: Create a custom role for the service account at the Organization level and assign the permissions. For more information, refer to Creating and Assigning Custom Roles .
Grant Service Account Access: For more information, refer to Add Scopes to the Service Account.
Admin Account for Impersonation : Create an admin account in Google Workspace and configure its permissions in Google Cloud Platform (GCP). For more information, refer to Required Roles for Google Workspace and GCP Management.
Generate Private Key for Service Account: Go to the KEYS tab, select ADD KEY > Create new key, and then select the key type as JSON. Convert service account private key to RSA format. For more information, refer to Convert Service Account Private Key to RSA Format.

Required Roles for Google Workspace and GCP Management

The required Roles for Google Workspace User, Group, and Roles Management:

For Google Workspace User and Groups Management: User Management Admin Role and Group Admin Role.
For Google Workspace Roles Management: Super Admin Role.

The required GCP IAM Roles for GCP Management:

Cloud Asset Viewer
Organization Role Administrator
Organization Role Viewer
Service Account Admin
Folder IAM Admin
Organization Administrator
Project IAM Admin
Super Admin Role (for IAM Role Management and Domain Management)

The necessary granular permissions for the user can be assigned through Service Account Scopes and Built-in Roles for Impersonate User or Service Account Scopes and Custom Roles for Impersonate User .

Google Reference Documents

Note
The documents listed in this section are not managed by SailPoint, and are subject to change without notice.

For more information about the above-listed prerequisites, refer to the following links:

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here: