Overview
To create a Torii “Read-only” integration with your Google Workspace tenant, create a custom admin role in Google Workspace with minimal privileges and assign this role to the service account used for Torii integration.
Creating a custom admin role with these privileges limits access to very specific capabilities.
This approach does NOT require using the Google Workspace Super Admin role.
Prerequisites
- An account with Admin privileges to ״Google Workspace״ Admin console
https://admin.google.com - Service account for “Torii API Admin.”
How to add a user to Google Workspace
Create the custom role.
- Log into your Google Workspace tenant with Admin privileges
- Select Account >> Admin roles >> Create new role
- Fill in the Name and Description fields.
- Under Admin Console console privileges, select the following
- Organizational Units - Read
- Users - All
- Security - User Security Management
- Reports
- Under Admin API privileges, select the following
- Organizational Units - Read
- Users - All (inherited from admin console)
- Groups - Create Read Update
- User Security Management
- Data Transfer
- Schema Management - All
- License Management - All
- Billing Management - All
- Domain Allowlist Management - All
- Add security label on groups resource
- Assign a user to the role.
- Search for the user and click on Assign Role
Connect via Torii’s Integrations page
NOTE: If you receive an error message connecting to Google via Torii’s Integrations page, please do the following:
- Go to the Torii Integrations page, >> Google Workspace tile
- Click Connect.
- Select the “connect-link” to copy the connection link to your clipboard.
- Open an Incognito / Private browsing session, paste the link, and complete the steps required.
For additional documentation, please see the Google Workspace Integration Documentation.