Skip to main content

Google integrations

Google Groups sync

Why synchronize Google Groups?

The integration is recommended for customers using Google Workspace internally as Identity Provider (IdP). User groups on the organizational level are often already defined and managed within Google. You can synchronize these groups to Flexopus using the Google Directory API with domain-wide delegation.

The synchronized groups are going to be created as external groups in Flexopus, which means that the group and the corresponding users will be provisioned to Flexopus. You can use the external groups within Flexopus to manage access rights for the resource booking.

💡
Example:
Assume you have two groups in your Google Workspace directory, TEAM-A and TEAM-B, defined as Google Groups. You can send these groups to Flexopus and connect TEAM-A with five specific workstations on the interactive floor plan and TEAM-B with ten other desks. This setup lets you manage group membership in Google Workspace, controlling who can book the associated workstations through these connected groups.

Instruction manual


STEP 1 - Domain wide delegation

Navigate in your Google admin console to Navigate to Security > Access and data control > API control > Domain-wide delegation.

Manage domain wide delegation

Click on add new.
Enter the following permission for a domain wide delegation:
Client ID: 102780533799401464971
OAuth scope: https://www.googleapis.com/auth/admin.directory.group.readonly

Configure domain wide delegation
💡
Note: Google's domain-wide delegation allows apps like Flexopus to access data across your organization's Google Workspace environment. For more information on domain-wide delegation, see Google's documentation.

STEP 2 - Flexopus configuration

Navigate in Flexopus to Dashboard > Settings > Integrations > Google Groups. Enter your Google admin email address in the "Google admin email" field and SAVE the settings.

Add admin email address

Click on the Test connection button to ensure a successful connection. Afterward, click on the External groups button and select the specific Google Groups you want to synchronize with Flexopus.

Test connection

We do not synchronize all the groups by default, only the explicitly assigned groups will be provisioned. You may have more groups in your Google Directory, however, only the selection will be used.

💡
Note! Flexopus only supports flat groups. For the nested groups, we only sync the first level, however it’s not a problem since the nested groups are sent as flat groups to Flexopus including all users in the nested tree.

Only the assigned groups will be synchronized. You can add a group by entering the E-Mail address or the corresponding group ID. After connecting the groups, it will be synchronized as long the connection is in place. The data is synchronized automatically, however you can also trigger a manual synchronization.

To find the group email address, navigate in your Google admin console to Directory > Groups and open the specific group. The Group ID can be found in the URL:
https://admin.google.com/u/1/ac/groups/{group-id}

Once you assigned a group and started the provisioning, you can expect the following changes in Flexopus. The groups will be provisioned with an external marking to Flexopus, which means that you can not edit the groups locally in Flexopus. You can not change the names, add user or delete user from the group. The single source of truth will be the group structure in your Google Workspace Directory.

Synchronized groups

You can use the groups for access management within Flexopus similar to the other internal or system groups.

Based on your configuration, you can decide if we should create new user accounts for the group members without existing user accounts in Flexopus.

💡
IMPORTANT! Google Groups may contain users outside your organization (e.g., personal addresses like myaddress@gmail.com). Be cautious about who is added to your Google Group, as Flexopus should only include users intended for resource bookings. Even if a user is created in Flexopus due to their membership in a connected Google Group, this doesn’t automatically grant them login access. If you have configured SAML2 SSO for Google users, only authorized users with valid credentials can log in.

Best practices using the group synchronization

Syncing groups from Google Directory to Flexopus doesn’t mean you should sync all groups. Only synchronize groups with a clear, specific purpose for Flexopus. Google Directory, typically managed by IT, is meant for broader access management and might not be ideal for desk assignment at the user level. Keep in mind:

  • Maintain reusable groups in Google Directory for multi-use cases (e.g., AllCompanyUsers).
  • Use Flexopus for specialized groups like DepartmentAWorkstationGroup2.

Decide who manages desk assignment groups—IT, facilities, or HR. Usually, only IT has access to the Google admin console. Limit support tickets by ensuring the right team has group management access.


Suggestion - One external group

Syncing a single group, like AllFlexopusUsers, simplifies user management in Flexopus. By syncing only this group, all users within it gain access to Flexopus, even before their first login. Here’s the setup and benefits:

  • Sync AllFlexopusUsers: This group contains all authorized Flexopus users.
  • Provision users in Flexopus: Syncing creates profiles for all AllFlexopusUsers members, so Flexopus admins can assign users to local groups as needed.
  • Group management delegation: Grant Flexopus admins the ability to manage and create groups locally in Flexopus. IT only manages AllFlexopusUsers in AD.

Use Case - New Employee Onboarding: Add new employees to AllFlexopusUsers as part of onboarding. Their profiles sync automatically to Flexopus, allowing Flexopus admins to group and set permissions before their start date.


Delete integration

To disconnect Google Groups from Flexopus, follow these steps:

  1. Navigate in Flexopus: Go to Dashboard > Settings > Integrations > Google Groups.
  2. Disconnect: Click the Disconnect button. Synchronized groups will stop updating and become internal groups.
  3. Remove API Rights in Google Console: In your Google Admin Console, delete the domain-wide delegated Google Management API rights.

This completes the disconnection process.

R0109