# Google Workspace
Google Workspace (opens new window), formerly known as G Suite, is a collection of cloud computing, productivity, and collaboration tools developed by Google.
Workato enables you to add, delete, update, fetch, or search for objects, such as users, groups, or roles. For example, when onboarding new employees, you can use the Google Workspace connector to automatically add their details to Google Workspace, streamlining the process.
# API version
The Google Workspace connector uses Google Admin SDK (opens new window) to connect to the admin services.
# How to connect to Google Workspace on Workato
The Google Workspace connector supports the following authentication methods:
# OAuth 2.0
Complete the following steps to set up an OAuth 2.0 connection:
Sign in to your Workato account and navigate to the project where you plan to add your Google Workspace connection.
Click Create > Connection.
Search for and select Google Workspace as your connection.
Provide a Connection name that identifies the Google Workspace instance to which Workato is connected.
Use the Location menu to select the project where you plan to store the connection.
Select OAuth 2.0 in the Authentication type menu.
Optional. Expand the Advanced settings section and select OAuth 2.0 scopes to request for your connection.
In addition to your selected scopes, Workato requests the following scopes by default:
| Description | Scope requested |
|---|---|
| View and manage the provisioning of users on your domain | admin.directory.user |
| View and manage organization units on your domain | admin.directory.orgunit |
| View and manage the provisioning of domains for your customers | admin.directory.domain |
| View and manage the provisioning of user schemas on your domain | admin.directory.userschema |
| View and manage the provisioning of groups on your domain | admin.directory.group |
| View and manage group subscriptions on your domain | admin.directory.group.member |
| View and manage data transfers between users in your organization | admin.datatransfer |
| Manage your mobile devices by performing administrative tasks | admin.directory.device.mobile.action |
| View audit reports for your G Suite domain | admin.reports.audit.readonly |
| View usage reports for your G Suite domain | admin.reports.usage.readonly |
| Manage delegated admin roles for your domain | admin.directory.rolemanagement |
| Manage data access permissions for users on your domain | admin.directory.user.security |
Refer to the directory API-specific authorization and authentication information (opens new window) or OAuth 2.0 Scopes for Google APIs (opens new window) for more information about scopes.
Click Sign in with Google.
Connect to Google Workspace
Sign in with your Google account. Your Google account should have admin privileges to make organization-wide changes in Google Workspace.
Click Allow to enable Workato to access your Google account.
Enable Workato to access your Google account
# Service account
You can also authenticate to Google Workspace using a Google Cloud service account. A service account is a special type of Google account associated with your Google Cloud Project that can be used to run API requests on your behalf. You can use a service account in Google Workspace to ensure that the solution continues running even if an individual user's permissions change. Refer to the Google documentation on service accounts (opens new window) for more information.
You must sign in to your Google Cloud Platform (GCP) console to create a service account. Refer to the Google Cloud documentation to learn how to complete the following:
- Create a new service account (opens new window) in your GCP project.
- Create a new private key and download the key in JSON format (opens new window).
After you download the key file, you can't download it again.
| Input field | Description |
|---|---|
| Connection name | Provide a name that identifies the Google Workspace instance to which Workato is connected. |
| Location | Select the location where you plan to store your connection. |
| Authentication type | Select Service account as your authentication type. |
| GCP project service account email | Enter the service account's email address. |
| Private key | Enter the private key obtainable from the downloadable JSON. Include both the -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY-----\n. |
| User email | Enter the email address of the user account to impersonate. Workato will perform actions on behalf of the impersonated email through the authenticated service account. |
REQUIRED SCOPES FOR SERVICE ACCOUNT AUTHENTICATION
To successfully connect to Google Workspace using a service account, the following permissions are required:
admin.directory.useradmin.directory.orgunitadmin.directory.domainadmin.directory.groupadmin.directory.group.memberadmin.datatransferadmin.directory.device.mobile.actionadmin.directory.userschemaadmin.reports.audit.readonlyadmin.reports.usage.readonlyadmin.directory.rolemanagementadmin.directory.user.security
The service account impersonates the user based on the email input provided during the connection setup after authentication is complete.
# Add Workato Google Workspace connector to the allowlist
Refer to the Google Workspace Admin documentation for detailed instructions on managing OAuth-based access to connected apps (opens new window).
Complete the following steps to add the Workato Google Workspace connector app to the allowlist:
SUPER ADMINISTRATOR ROLE REQUIRED
You must be signed in as a super administrator (opens new window) of your Google Workspace to complete the following actions.
Sign in to the Admin Console of your Google Workspace.
Navigate to Security > API controls.
Click Security in Admin Console
Click API controls
Navigate to Manage third-party app access and click Add app > OAuth App Name Or Client ID.
Click Manage third-party app access
Click Add app > OAuth App Name Or Client ID
Search for the Workato Google Workspace connector app by its OAuth 2.0 client ID:
683878741543-7u1l9k9da9iulujk2c48uuc39ab5vkqq.apps.googleusercontent.com
Click Select on the available OAuth client ID.
Fill in the OAuth 2.0 Client ID
Check the box for the client ID you plan to configure, then click Select.
Select the available OAuth client ID
Select the user you plan to configure access for.
Select the user to configure access for
Click Continue.
Select the Trusted option for app access.
Select trust level for the Workato app
Click Continue.
Review the settings for the new app, then click Finish.
Review settings for the new app, then click Finish
# Google Workspace - Action objects
Workato allows you to add, delete, update, fetch, or search for objects on Google Workspace. The input field entries change based on the object you choose.
| Objects | Description |
|---|---|
| User | Perform an action on a user. |
| User alias | Perform an action on the aliases associated with a user, which are alternate email addresses. |
| Group | Perform an action on a user group. |
| Organizational unit | Perform an action on an organizational unit. |
| Member to group | Perform an action on a user with relation to a group. |
| Role assignment | Perform an action relating to user role assignment. These are synonymous with Admin roles. |
| Verification code | Perform an action relating to verification codes. Verification codes allow users to recover their accounts when two-step authentication is enabled. |
| App specific password | Perform an action relating to an app-specific password. App-specific passwords are used to access apps or devices that do not enforce two-step verification. Users can generate these passwords and you can use Workato to revoke these passwords in the event of lost devices or re-provisioning of apps. |
| Access token | Perform an action relating to the access token of an application under a user. |
| Mobile Device | Perform an action relating to the mobile device associated with a user. |
| License | Perform an action relating to the license of various Google products. |
You can specify the object you plan to use when using Google Workspace actions in Workato.
Last updated: 9/13/2024, 2:23:00 AM