Google Groups Sync

Why synchronizing Google Groups?

The integration is recommended for customers using Google Workspace internally as Identity Provider (IdP). User groups on the organizational level are often already defined and managed within Google. You can synchronize these groups to Flexopus using the Google Directory API with domain-wide delegation.

The synchronized groups are going to be created as external groups in Flexopus, which means that the group and the corresponding users will be provisioned to Flexopus. You can use the external groups within Flexopus to manage access rights for the resource booking.

Instruction manual

STEP 1 - Domain wide delegation

Navigate in your Google admin console to Security > Access and data control > API control > Domain-wide delegation.

Click on add new.
Enter the following permission for a domain wide delegation:
Client ID: 102780533799401464971
OAuth scope: https://www.googleapis.com/auth/admin.directory.group.readonly

STEP 2 - Flexopus configuration

Navigate in Flexopus to Dashboard > Settings > Integrations > Google Groups. Enter the Google admin email address of yours in the Google admin email field. SAVE the settings.

Click on the button: Test connection. This should be successful.
After this, you can click on the External groups button and select which Google Groups suppose to be synchronized to Flexopus.

We do not synchronize all the groups by default, only the explicitly assigned groups will be provisioned. You may have more groups in your Google Directory, still only the selection will be used.

Only the assigned groups will be synchronized. You can add a group by entering the E-Mail address or the group id of the groups. After connecting the groups, it will be synchronized as long the connection is in place. The data is synchronized automatically, however you can also trigger a manual synchronization.

To find the group email address, navigate in your Google admin console to Directory > Groups and open the specific group. The group id can be found in the URL can be found in the URL:
https://admin.google.com/u/1/ac/groups/{group-id}

Once you assigned a group and started the provisioning, you can expect the following changes in Flexopus. The groups will be provisioned with an external marking to Flexopus, which means that you can not edit the groups locally in Flexopus. You can not change the names, add user or delete user from the group. The single source of truth will be the group structure in your Google Workspace Directory.

You can use the groups for access management within Flexopus similar to the other internal or system groups.

Based on your configuration, you can decide, if we should create new user accounts for the group members without existing user account in Flexopus.

Best practices using the group synchronization

The fact that you can synchronize groups from your Google Directory to Flexopus doesn't mean that you should manage all your groups through this integration. We recommend syncing only a limited amount of groups, that also has a reason to be synchronized. The Google Directory is usually the playground of the IT department to manage access to applications and services, and not necessary to manage desk assignment on the user level.

Manage and maintain groups in the Google Directory, which potentially can be used for other use cases as well. A group like AllCompanyUsers can be managed in Google, but a group like DepartmenAWorkstationGroup2 could be managed in Flexopus directly.

Decide who should maintain the group for the desk assignment. Is it the responsibility of the IT department or is it the responsibility of the facility management, the departments, or the HR? The once that suppose to manage the groups shall have access to the group management. In most of the cases, the IT has access to the Google admin console and the other has no access. We should avoid creating support tickets for each change per group.

Suggestion - One external group

A very simple solution is to synchronize only one group. Let's name this groups AllFlexopusUsers. This group contains the users that suppose to have access to Flexopus.

Once you connected the AllFlexopusUsers groups and start the provisioning, the group itself and all the users within the groups will be synchronized to Flexopus, even if they did not log in into Flexopus yet.

This way we can provision all the users to Flexopus, and the Flexopus administrators can group them locally at Flexopus as they wish. You can grant permission to Flexopus administrators to create and manage other groups in Flexopus. This way, you as IT admin can outsource the management of the groups to the once that are interested in the management of the groups. You have only one group to manage in the AD.

USE CASE - New employee starting (create through provisioning)

In case a new employee will start on the first day of the next month, we will need to allow the new employee to book the right resource from day one. Which means that the employee should have the right groups for reservation before the first login. If we add the user as a part of the onboarding process to the AllFlexopusUsers group, the user profile will be created automatically at Flexopus. After the creation, the local Flexopus administrators can assign the suer profile to the local groups.

Delete integration

Navigate in Flexopus to Dashboard > Settings > Integrations > Google groups and click on the Disconnect button, the synchronized groups will no longer be updated. This also disconnects the connected groups and converts them to internal groups.

In the second step, delete the domain wide delegated Google Management API rights on your Google admin console.

R0109