Google Groups sync
Why synchronize Google Groups?
The integration is recommended for customers using Google Workspace internally as Identity Provider (IdP). User groups on the organizational level are often already defined and managed within Google. You can synchronize these groups to Flexopus using the Google Directory API with domain-wide delegation.
The synchronized groups are going to be created as external groups in Flexopus, which means that the group and the corresponding users will be provisioned to Flexopus. You can use the external groups within Flexopus to manage access rights for the resource booking.
Assume you have two groups in your Google Workspace directory, TEAM-A and TEAM-B, defined as Google Groups. You can send these groups to Flexopus and connect TEAM-A with five specific workstations on the interactive floor plan and TEAM-B with ten other desks. This setup lets you manage group membership in Google Workspace, controlling who can book the associated workstations through these connected groups.
Instruction manual
STEP 1 - Domain wide delegation
Navigate in your Google admin console to Navigate to Security > Access and data control > API control > Domain-wide delegation.
Click on add new
.
Enter the following permission for a domain wide delegation:
Client ID: 102780533799401464971
OAuth scope: https://www.googleapis.com/auth/admin.directory.group.readonly
STEP 2 - Flexopus configuration
Navigate in Flexopus to Dashboard > Settings > Integrations > Google Groups. Enter your Google admin email address in the "Google admin email" field and SAVE the settings.
Click on the Test connection button to ensure a successful connection. Afterward, click on the External groups button and select the specific Google Groups you want to synchronize with Flexopus.
We do not synchronize all the groups by default, only the explicitly assigned groups will be provisioned. You may have more groups in your Google Directory, however, only the selection will be used.
Only the assigned groups will be synchronized. You can add a group by entering the E-Mail address or the corresponding group ID. After connecting the groups, it will be synchronized as long the connection is in place. The data is synchronized automatically, however you can also trigger a manual synchronization.
To find the group email address, navigate in your Google admin console to Directory > Groups and open the specific group. The Group ID can be found in the URL:https://admin.google.com/u/1/ac/groups/{group-id}
Once you assigned a group and started the provisioning, you can expect the following changes in Flexopus. The groups will be provisioned with an external marking to Flexopus, which means that you can not edit the groups locally in Flexopus. You can not change the names, add user or delete user from the group. The single source of truth will be the group structure in your Google Workspace Directory.
You can use the groups for access management within Flexopus similar to the other internal or system groups.
Based on your configuration, you can decide if we should create new user accounts for the group members without existing user accounts in Flexopus.
Best practices using the group synchronization
Syncing groups from Google Directory to Flexopus doesn’t mean you should sync all groups. Only synchronize groups with a clear, specific purpose for Flexopus. Google Directory, typically managed by IT, is meant for broader access management and might not be ideal for desk assignment at the user level. Keep in mind:
- Maintain reusable groups in Google Directory for multi-use cases (e.g., AllCompanyUsers).
- Use Flexopus for specialized groups like DepartmentAWorkstationGroup2.
Decide who manages desk assignment groups—IT, facilities, or HR. Usually, only IT has access to the Google admin console. Limit support tickets by ensuring the right team has group management access.
Suggestion - One external group
Syncing a single group, like AllFlexopusUsers, simplifies user management in Flexopus. By syncing only this group, all users within it gain access to Flexopus, even before their first login. Here’s the setup and benefits:
- Sync AllFlexopusUsers: This group contains all authorized Flexopus users.
- Provision users in Flexopus: Syncing creates profiles for all AllFlexopusUsers members, so Flexopus admins can assign users to local groups as needed.
- Group management delegation: Grant Flexopus admins the ability to manage and create groups locally in Flexopus. IT only manages AllFlexopusUsers in AD.
Use Case - New Employee Onboarding: Add new employees to AllFlexopusUsers as part of onboarding. Their profiles sync automatically to Flexopus, allowing Flexopus admins to group and set permissions before their start date.
Delete integration
To disconnect Google Groups from Flexopus, follow these steps:
- Navigate in Flexopus: Go to Dashboard > Settings > Integrations > Google Groups.
- Disconnect: Click the Disconnect button. Synchronized groups will stop updating and become internal groups.
- Remove API Rights in Google Console: In your Google Admin Console, delete the domain-wide delegated Google Management API rights.
This completes the disconnection process.
R0109