# Google Workspace
Google Workspace (opens new window), formerly known as G Suite, is a collection of cloud computing, productivity, and collaboration tools, software, and products developed by Google.
Workato enables you to add, delete, update, fetch, or search for any objects, such as users, groups, or roles. For example, while on-boarding new employees, the employee details need to be added into the Google Workspace.
# API version
Workato's Google Workspace connector currently uses Google Admin SDK (opens new window) for connecting to the admin services.
# How to connect to Google Workspace on Workato
The Google Workspace connector supports both OAuth2.0 and Service Account-based authentication.
# OAuth2.0
Connecting to Google Workspace connector is as simple as signing in to the Google account.
Select Connect:
Sign in with your Google account. Do note that your Google account should have Admin privileges to make such organization wide changes in Google Workspace.
Workato provides the provision to setup the scope or the permission for the specific connection through "Advanced Settings". The following scopes are always provided by default:
| Description | Scope requested |
|---|---|
| View and manage the provisioning of users on your domain | admin.directory.user |
| View and manage organization units on your domain | admin.directory.orgunit |
| View and manage the provisioning of domains for your customers | admin.directory.domain |
| View and manage the provisioning of user schemas on your domain | admin.directory.userschema |
| View and manage the provisioning of groups on your domain | admin.directory.group |
| View and manage group subscriptions on your domain | admin.directory.group.member |
| View and manage data transfers between users in your organization | admin.datatransfer |
| Manage your mobile devices by performing administrative tasks | admin.directory.device.mobile.action |
| View audit reports for your G Suite domain | admin.reports.audit.readonly |
| View usage reports for your G Suite domain | admin.reports.usage.readonly |
| Manage delegated admin roles for your domain | admin.directory.rolemanagement |
| Manage data access permissions for users on your domain | admin.directory.user.security |
Additionally, the below mentioned scopes can be included using the multi-select option:
| Description | Scope requested |
|---|---|
| View and manage the provisioning of users on your domain | admin.directory.user |
| View and manage customer related information | admin.directory.customer |
| View and manage your Chrome OS device metadata | admin.directory.device.chromeos |
| View and manage your mobile device metadata | admin.directory.device.mobile |
| View and manage the provisioning of calendar resources on your domain | admin.directory.resource.calendar |
| View and manage user aliases on your domain | admin.directory.user.alias |
| View and manage your data across Google Cloud Platform services | cloud-platform |
| View and manage Google Workspace licenses for your domain | apps.licensing |
| View and manage groups settings | apps.groups.settings |
For more detailed information about the scopes, please refer to the directory API-specific authorization and authentication information (opens new window) or OAuth 2.0 Scopes for Google APIs (opens new window).
And you are good to go:
# Service Account
You can also authenticate to Google Workspace using a Google Cloud service account. A service account is a special type of Google account that is associated with your Google Cloud Project that can be used to run API requests on your behalf. Service accounts can be used in Gmail to ensure that the solution will continue running even if individual users' permissions change. Read more about service accounts here (opens new window).
To create a service account, you need to log into your Google Cloud Platform (GCP) console. Follow the guide here (opens new window) to create a new service account in your GCP project. Follow this guide (opens new window) to add a new private key and download the key in JSON format. Note that after you download the key file, you cannot download it again.
| Input field | Description |
|---|---|
| Connection name | Name of the connection |
| Location | Where the connection is organized inside your project |
| Authentication type | Choose "Service account" to authenticate using a Google service account |
| GCP project service account email | The email address of the service account |
| Private key | Enter the private key obtainable from the downloadable JSON. Include both the -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY-----\n |
| User email | The email address of the user account to impersonate. Workato will perform actions on behalf of the impersonated email via the authenticated service account |
TIP
In order to successfully connect to Google Workspace using a service account, the following permissions are required:
admin.directory.useradmin.directory.orgunitadmin.directory.domainadmin.directory.groupadmin.directory.group.memberadmin.datatransferadmin.directory.device.mobile.actionadmin.directory.userschemaadmin.reports.audit.readonlyadmin.reports.usage.readonlyadmin.directory.rolemanagementadmin.directory.user.security
Once authenticated, the service account will impersonate based on the user email input during connection setup.
# Google Workspace - Action objects
Workato allows you to add, delete, update, fetch, or search for objects on Google Workspace. Here, we are classifying User, User alias, Groups, etc as objects. Note that the entries for input fields will change depending on the objects chosen. The list of objects used can be found below.
| Objects | Description |
|---|---|
| User | Perform an action on a user |
| User alias | Perform an action on the aliases associated with a user, which are alternate email addresses |
| Group | Perform an action on a user group |
| Organizational unit | Perform an action on an organizational unit |
| Member to group | Perform an action on a user with relation to a group |
| Role assignment | Perform an action relating to user role assignment. These are synonymous with Admin roles |
| Verification code | Perform an action relating to verification codes. Verification codes allow users to recover their accounts when 2 step authentication is enabled |
| App specific password | Perform an action relating to an app specific password. App specific passwords are used to access apps or devices which do not enforce 2-step verification. Users can generate these passwords and you can use Workato to revoke these passwords in the event of lost devices or re-provisioning of apps |
| Access token | Perform an action relating to access token of an application under a user |
| Mobile Device | Perform an action relating to mobile device associated with a user |
| License | Perform an action relating to license of various Google products |
When using Google Workspace actions in Workato, you'll be able to specify which object you want to use.
Last updated: 9/9/2023, 2:27:33 AM