How can we help?

Google Workspace (G Suite) Integration

Noga Tubi
Noga Tubi
  • Updated

Set up Google Workspace integration and get all the insights in Torii's dashboard

Overview

Torii integrates with Google Workspace (G Suite) and syncs:

  • User list
  • Licenses
  • 3rd party application list
  • 3rd party permissions
  • Usage data
  • Events

Connecting the integration consists of the following.
mceclip19.png

Prerequisites

  • For Torii to sync Google Workspace data, API Access must be enabled on Google Workspace. See the following guide provided by Google: Enable API access in the Admin console.
  • For Torii to pull usage from G Suite and sync events, Read-only access is required when retrieving an activity report OAuth scope (https://www.googleapis.com/auth/admin.reports.audit.readonly).
    Without this scope, Torii cannot retrieve the required information regarding activity events.
  • To use Torii to perform actions in Google workspace, see here.
  • Torii's Google integration supports granular permission levels. You may allow or deny any requested scopes for this integration, but denying scopes will negatively affect the integration and your capability to receive information or perform actions through it. see this table for more information.

Connect Google Workspace integration 

  1. From the Torii Integrations page, click on the Google Workspace tile
  2. Click Connect
    mceclip0.png
  3. Your Google Workspace account can be integrated as:

      • "Read-Only" to see your Google Workspace data within Torii
      • "Read/Take Action" to create workflows and take action directly through Torii

        Step 4, which includes the "Service Account Email Address" and "Service Account Private Key," are optional, but if you want to use the below actions, you must populate them.
  4. Click here to see the "how-to instructions."
    • Set Vacation Responder
    • Enable Auto Forwarding
    • Update Gmail Signature 
      Company-owned devices actions 
    • Block company-owned mobile devices
    • Wipe Google account from company-owned mobile devices
    • Delete company-owned mobile devices from Google workspace
  5. Click Connect
    mceclip0.png
  6. The "Test Connection" window will display, generating the connection test.
    Click Connect to continue.
    mceclip1.png
  7. Once the integration is connected and synced, a green checkbox is displayed.
    mceclip2.png

Google settings required for actions:

To enable the Google Integration for Advanced Actions such as Google Signature, you will need to enable API Access from Google into Torii.

  1. Go to your Google Cloud Console: https://console.cloud.google.com/apis/api/gmail.googleapis.com/overview
  2. If you don’t have a project, click “Select a project”>> NEW PROJECT.
    mceclip3.png
  3. Enter a Project Name ie. “Torii Project”
  4. Select your Organization and Click CREATE
    mceclip4.png
  5. Click on “ENABLE APIS AND SERVICES
    mceclip5.png
  6. To enable Set Vacation Responder, Enable Auto Forwarding, Update Gmail Signature and Share User's Email actions:
    Search for “gmail”, select "Gmail API," and click ENABLE
    mceclip1.pngYou should now see the status as Enabled. https://console.cloud.google.com/apis/api/gmail.googleapis.com/overview
    mceclip8.png
  7. To enable Share Google calendars, Remove access to shared calendars and Delete calendar events, search for "calendar", select Google calendar API an click ENABLE

        You should now see the status as Enabled

9. To enable Remove user from all shared drives, select Google Drive API and click ENABLE

10. To enable Block company-owned mobile devices, Wipe Google account from company-owned mobile devices, and Delete company-owned mobile devices actions:
Search for “Cloud identity”, select "cloud identity," and click ENABLE
mceclip2.png

 

11. Click on Credentials

12. Go to + CREATE CREDENTIALS and select Service account. 
mceclip9.png

13. Provide the Service Account details and click Done.
mceclip10.png

14. After editing the Service Account details, click the “Keys” tab

15. Click Add KeyCreate New KeyCreate
mceclip11.png

16. In the "Create private key" window, leave the default JSON and click CREATE

17. The JSON will be downloaded automatically to your computer:
mceclip12.png

18. In the Google Admin Console >> Security >> Access and Data Control >> API Controls >> Manage Domain Wide Delegation (Scroll Down)
mceclip13.png

19. Click Add New
mceclip14.png

20. Add your Client ID (from your JSON), add the required scopes, and click Authorize.
mceclip15.png

21. Enter the Service Account Email Address
mceclip16.png

22. Add the Service Account Private Key; please add the Service Account Private Key; make sure to copy the entire key as shown in the image.
mceclip17.png

23. Enter the Service Account Email Address and Service Account Private Key to the "Connect Google Workspace" window", and click Connect.
mceclip2.png

 

Delegate user's email action - more prerequisites

  1. Sign in to the Admin console.
  2. Navigate to Apps > Google Workspace > Gmail > User settings > Mail delegation.
  3. Check the "Let users delegate access to their mailbox to other users in the domain" box.
  4. Save changes. Changes can take up to 24 hours.

 

Mobile device actions

Company-owned devices actions

These actions require special permissions, as mentioned above; they are executed on all the company-owned devices assigned to the selected user.

  • Block company-owned mobile devices- Block access to the organization’s Google account from the devices
  • Wipe Google account from company-owned mobile devices- Deletes all of your organization’s data from the devices.
  • Delete company-owned mobile devices from Google workspace- Removes the devices from the Google Workspace list.

User-owned devices actions:

These actions do not require any special permissions (except for "Read and take"). The actions are executed on all the user-owned devices assigned to the selected user.

  • Block user-owned mobile devices- Block access to the organization’s Google account from the devices.
  • Wipe Google account from user-owned mobile devices- Deletes all of your organization’s data from the devices.
  • Delete user-owned mobile devices from Google workspace- Removes the devices from the Google Workspace list.

Read-only

In case you choose to connect to Google Workspace for "Read-only", Torii will require the following permissions:NOTE: Google documents that a Google Super Administrator user is required to read licenses data in Google's access control policy:
"License Management — This privilege works only in the Admin console and authorizes only super admins to use the License Manager API."

However, we found that creating a dedicated admin role that is not a Super Administrator allows reading the License management.
If you have created a dedicated Super Admin user for the integration, make sure you log in with that user and accept any Google Terms of Service.
Without accepting the Terms of Service, Torii's access will be limited.

Read and take action.

In case you choose to connect Google Workspace for Read and take actions, you will grant Torii the following permissions:
Return up

 

List of requested scopes for Torii's Google Workspace integration

Scope Scope description Required for
/admin.directory.user.readonly See info about users on your domain

Getting a user list from Google Workspace.

Mandatory (integration will fail without this scope)

/apps.licensing View and manage G Suite licenses for your domain

Getting a list of licenses for Google Workspace users.

Mandatory (integration will fail without this scope)

/admin.reports.usage.readonly View usage reports for your G Suite domain

Getting a list of unassigned licenses in Google Workspace.

Mandatory (integration will fail without this scope)

/admin.directory.user.security Manage data access permissions for users on your domain

Discovering apps via Google Workspace (Log in with Google).

  • Delete All Application Specific Passwords
  • Generate New Backup Verification Codes
  • Invalidate Backup Verification Codes
  • Sign Google Workspace user out of all sessions
  • Turn Off Two Step Verification

Mandatory (integration will fail without this scope)

/admin.directory.customer.readonly View customer related information

Getting account name

/admin.reports.audit.readonly View audit reports for your G Suite domain

Getting usage data for Google Workspace users & usage data for apps discovered via Google

Required if you want to use use Real-time offboarding for Google Workspace.

Denying this will also affect accuracy of 3rd party app detection via Google Workspace.

/admin.directory.group.readonly View groups on your domain Getting user group data from Google Workspace. 
admin.directory.orgunit.readonly View organization units on your domain

Getting Org Unit data from Google Workspace

Required if you want to use use Real-time offboarding for Google Workspace.

Required for the Create user action.

/admin.directory.user View and manage the provisioning of users on your domain

Required for these actions:

  • Archive Google Workspace user
  • Change Google Workspace user email
  • Change Google Workspace user name
  • Force Google Workspace user to change password at next login
  • Change Google Workspace user password
  • Add alternate email (email alias)
  • Create Google Workspace user
  • Delete Google Workspace email alias
  • Delete Google Workspace user
  • Hide Google Workspace user from the Organization's Directory
  • Show Google Workspace user in the Organization's Director
  • Update Google Workspace user information
  • Reactivate Google Workspace user
  • Suspend Google Workspace user
  • Unarchive Google Workspace user
  • Change Google Workspace user organization unit
/admin.directory.device.mobile View and manage your mobile devices' metadata

Required for these actions:

  • Block user-owned mobile devices
  • Delete user-owned mobile devices from Google workspace
  • Wipe Google account from user-owned mobile devices
/admin.directory.group View and manage the provisioning of groups on your domain

Required for these actions:

  • Create Google Workspace group
  • Delete Google Workspace groups
/admin.directory.group.readonly


View groups on your domain

Required for these actions:

  • Add user to Google Workspace groups
  • Remove user from Google Workspace groups
  • Transfer Google Workspace groups ownership
/admin.directory.group.member  View and manage group subscriptions on your domain
/admin.datatransfer View and manage data transfers between users in your organization

Required for these actions:

  • Transfer Google Workspace calendar data
  • Transfer Google Workspace Data Studio
  • Transfer Google Workspace Docs and Drive data

Return up

Integration Capabilities and Actions 

You can stay updated about application information and actions from our Integrations Page >> Integration Capabilities button (1) >> Integration Capabilities table.mceclip10.png

Usage

Torii pulls 2 types of usage events and calculates Google Workspace usage based on them:

  • SAML Audit activity events - Usage for apps connected to G-Suite SSO

  • Login Audit Activity Events - General usage for Google Workspace, for example, 2-step verification enrollment change, Account password change, etc.

Torii will pull activity events from the last 30 days on the first usage sync.

Events

Torii continuously monitors Google events and updates data in Torii in real-time accordingly. The Google events that Torii monitors are:

  • User was deleted
  • User was suspended
  • User was archived

If you set Google as the user lifecycle source of truth, the Offboarding To-Do list in Torii will be continuously updated based on the events above.

You can also leverage Torii's App Event workflow trigger to trigger automation based on the above events whenever an event happens in Google Workspace.

Troubleshooting

Authorization Error

You might encounter the following Authorization Error

Resolution

  1. From Google Admin page, go to Security
  2. API controls
  3. MANAGE THIRD-PARTY APP ACCESS
  4. Click on Add app
  5. Select the OAuth App Name OR Client ID option
  6. Search for Torii
  7. Click Select

  8. Check all Client ID boxes

  9. Select the Trusted option
  10. Click Configure

Q&A

Q: What data is transferred using the "Transfer Google Workspace Data Studio" action?

A: The data transferred is:

 

Q: Why can't I use the @import command when updating a user's signature?

A: We currently have a limitation on this action regarding the Signature field. If the signature is in HTML format, we cannot utilize the '@import' command due to the '@' sign being used for mentions in workflow actions fields, such as 'Trigger.User.FirstName'.

Related articles 

Torii “Read-Only” Integration with Google Workspace Tenant

Was this article helpful?

0 out of 1 found this helpful

Have more questions? Submit a request