> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Google Workspace connector
> C1 provides identity governance and just-in-time provisioning for Google Workspace. Integrate your Google Workspace instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
**This is an updated and improved version of the Google Workspace integration!** If you're setting up a Google Workspace connector with C1 for the first time, you're in the right place.
## Capabilities
| Resource | Sync | Provision |
| :---------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Groups | | |
| Roles | | |
| Enterprise Applications | | |
The Google Workspace connector supports [automatic account provisioning and deprovisioning](/product/admin/account-provisioning).
### Connector actions
Connector actions are custom capabilities that extend C1 automations with app-specific operations. You can use connector actions in the [Perform connector action](/product/admin/automations-steps-reference#perform-connector-action) automation step.
| Action name | Additional fields | Description |
| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| update\_user\_status | `resource_id` (string, required)
`is_suspended` (boolean, required) | Suspends or activates a user account |
| disable\_user | `user_id` (string, required) | Suspends a user account (idempotent) |
| enable\_user | `user_id` (string, required) | Unsuspends a user account (idempotent) |
| change\_user\_primary\_email | `resource_id` (string, required)
`new_primary_email` (string, required) | Updates a user's primary email address |
| transfer\_user\_drive\_files | `resource_id` (string, required)
`target_resource_id` (string, required)
`privacy_levels` (string, optional) | Transfers Google Drive ownership from one user to another. Accepts `private` or `shared` for privacy\_levels |
| transfer\_user\_calendar | `resource_id` (string, required)
`target_resource_id` (string, required)
`release_resources` (boolean, optional) | Transfers Google Calendar data from one user to another |
| change\_user\_org\_unit | `user_id` (string, required)
`org_unit_path` (string, required) | Moves a user to a different organizational unit |
| offboarding\_profile\_update | `user_id` (string, required)
`archive_account` (boolean, optional) | Comprehensive offboarding: removes from GAL, clears recovery details, deletes addresses/phones, optionally archives |
| sign\_out\_user | `user_id` (string, required) | Signs user out of all sessions and resets sign-in cookies |
| delete\_all\_oauth\_tokens | `user_id` (string, required) | Revokes all third-party app authorizations |
| delete\_all\_application\_passwords | `user_id` (string, required) | Deletes all app-specific passwords |
| create\_group | `email` (string, required)
`name` (string, required)
`description` (string, optional) | Creates a new Google Workspace group |
| modify\_group\_settings | `group_key` (string, required)
`allow_external_members` (boolean, optional)
`allow_web_posting` (boolean, optional)
`who_can_post_message` (string, optional)
`message_moderation_level` (string, optional) | Update settings for an existing Google Group |
| update\_user\_manager | `user_id` (string, required)
`manager_email` (string, required) | Updates the manager relation for a user in Google Workspace. Updates the 'manager' entry in the user's Relations field |
## Gather Google Workspace credentials
Configuring the connector requires you to pass in credentials generated in Google Workspace. Gather these credentials before you move on.
A user with the **Super Admin** role in Google Workspace must perform this task.
### Create a new project
As a Google Workspace Super Admin, sign in to [https://console.cloud.google.com](https://console.cloud.google.com/).
In the toolbar, open the project select dropdown and click **NEW PROJECT**.
Create a new project for your organization:
* **Project Name**: Choose a names, such as "C1 Integration"
* **Organization/Location**: Choose the appropriate Organization/Location
After the project is created, make sure the correct project is selected in the dropdown in the toolbar at the top of the page.
### Enable the API
In the navigation menu, navigate to > **APIs & Services** > **Library**.
Search for and select the **Admin SDK API**.
Click **Enable**.
**Optional.** If you want to use the group settings connector action, you must also search for, select, and enable the **Groups Settings API**.
You must also search for, select, and enable the **Cloud Identity API** (used for resolving SAML app IDs to stable identifiers).
### Create a service account
In the navigation menu, navigate to > **APIs & Services** > **Credentials**.
Select **CREATE CREDENTIALS** > **Service Account**.
Under **Service account details**, fill in the following:
* **Service account name:** C1 Integration
* **Service account description:** for example, "Service account for C1 Google Workspace Integration"
* Click **CREATE AND CONTINUE**
Under **Grant this service account access to a project**, grant the **Editor** role.
Leave **Grant users access to this service account** blank.
Click **DONE**.
### Get credentials
Navigate back to **APIs & Services** > **Credentials** and select the service account you just created.
Click the service account's email address. Locate and save the **Unique ID**.
On the **Service account details** page, click **KEYS**.
Click **ADD KEY** > **Create new key**.
Choose **JSON** and click **CREATE**.
Keep the downloaded file somewhere safe.
### Add the service account to Google Workspace
Go to [https://admin.google.com](https://admin.google.com) as a **SUPER ADMIN**.
In the navigation menu, select **Security** > **Access and data control** > **API Controls**.
Click **MANAGE DOMAIN WIDE DELEGATION**.
Click **Add new** and fill out the form:
* **Client ID**: The service account's unique ID
* **OAuth Scopes**: Copy and paste in the relevant scopes
Use the following scopes to give C1 **READ** access (for syncing access data):
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
https://www.googleapis.com/auth/admin.directory.domain.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly
```
Here's an explanation of each scope's purpose:
* Scope: [https://www.googleapis.com/auth/admin.directory.domain.readonly](https://www.googleapis.com/auth/admin.directory.domain.readonly)
Purpose: To identify the primary domain of the Google Workspace account.
* Scope: [https://www.googleapis.com/auth/admin.directory.group.readonly](https://www.googleapis.com/auth/admin.directory.group.readonly)
Purpose: To read and sync Google Groups.
* Scope: [https://www.googleapis.com/auth/admin.directory.group.member.readonly](https://www.googleapis.com/auth/admin.directory.group.member.readonly)
Purpose: To read and sync the members of each group.
* Scope: [https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly](https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly)
Purpose: To read and sync roles and their assignments.
* Scope: [https://www.googleapis.com/auth/admin.directory.user.readonly](https://www.googleapis.com/auth/admin.directory.user.readonly)
Purpose: To read and sync users.
* Scope: [https://www.googleapis.com/auth/admin.reports.audit.readonly](https://www.googleapis.com/auth/admin.reports.audit.readonly)
Purpose: To sync usage events and admin events (used in conjunction with incremental sync).
* Scope: [https://www.googleapis.com/auth/admin.directory.user.security](https://www.googleapis.com/auth/admin.directory.user.security)
Purpose: To discover OAuth apps via per-user token listing.
* Scope: [https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly](https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly)
Purpose: (Optional) To resolve SAML app IDs to stable identifiers. Without it, SAML app IDs fall back to display names.
Use the following scopes to give C1 **READ/WRITE** access (for syncing access data and provisioning access):
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
https://www.googleapis.com/auth/admin.directory.domain.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.rolemanagement, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.datatransfer, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly
```
Here's an explanation of each scope's purpose:
* Scope: [https://www.googleapis.com/auth/admin.directory.domain.readonly](https://www.googleapis.com/auth/admin.directory.domain.readonly)
Purpose: To identify the primary domain of the Google Workspace account.
* Scope: [https://www.googleapis.com/auth/admin.directory.group.readonly](https://www.googleapis.com/auth/admin.directory.group.readonly)
Purpose: To read and sync Google Groups.
* Scope: [https://www.googleapis.com/auth/admin.directory.group.member](https://www.googleapis.com/auth/admin.directory.group.member)
Purpose: (Write) To manage group memberships (add or remove users from groups).
* Scope: [https://www.googleapis.com/auth/admin.directory.rolemanagement](https://www.googleapis.com/auth/admin.directory.rolemanagement)
Purpose: (Write) To manage role assignments (grant or revoke roles).
* Scope: [https://www.googleapis.com/auth/admin.directory.user](https://www.googleapis.com/auth/admin.directory.user)
Purpose: (Write) To provision/deprovision accounts.
* Scope: [https://www.googleapis.com/auth/admin.reports.audit.readonly](https://www.googleapis.com/auth/admin.reports.audit.readonly)
Purpose: To sync usage events and admin events (used in conjunction with continuous sync).
* Scope: [https://www.googleapis.com/auth/admin.datatransfer](https://www.googleapis.com/auth/admin.datatransfer)
Purpose: (Write) To transfer user data between Google accounts.
* Scope: [https://www.googleapis.com/auth/admin.directory.group](https://www.googleapis.com/auth/admin.directory.group)
Purpose: (Write) To provision groups.
* Scope: [https://www.googleapis.com/auth/admin.directory.user.security](https://www.googleapis.com/auth/admin.directory.user.security)
Purpose: (Write) To discover OAuth apps and run actions for removing a user's access (sign out, delete auth tokens and app passwords).
* Scope: [https://www.googleapis.com/auth/apps.groups.settings](https://www.googleapis.com/auth/apps.groups.settings)
Purpose: (Write) To edit group settings.
* Scope: [https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly](https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly)
Purpose: (Optional) To resolve SAML app IDs to stable identifiers. Without it, SAML app IDs fall back to display names.
Click **AUTHORIZE**.
In the navigation menu, select **Account > Account Settings**.
Copy the **Customer ID** from this page.
### Locate your primary domain
In the navigation panel on the left, click **Account** > **Domains**.
Click **Manage Domains**. Locate and copy the domain labeled as the **Primary Domain** in the **Type** column.
**Done.** Next, move on to the connector configuration instructions.
## Configure the Google Workspace connector
This task requires either the **Connector Administrator** or **Super Administrator** role in C1.
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Google Workspace v2** and click **Add**.
Choose how to set up the new Google Workspace connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
Click **Next**.
* **If you are the connector owner**, go on to the next step.
* **If someone else is the connector owner**, you can stop here. C1 will notify the connector owner by email that their help is needed to complete the setup process.
Find the **Settings** area of the page and click **Edit**.
In the **Customer ID** field, enter the Google Workspace customer ID.
**Optional.** If you want to limit which domains C1 syncs, in the **Domain** field, enter the primary domain from Step 6. If you leave this field blank, C1 will sync all available domains.
In the **Administrator email** field, enter the email address associated with your domain or a super admin.
In the **Credentials (JSON)** area, click **Choose file** and upload the file.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Google Workspace connector is now pulling access data into C1.
**Follow these instructions to use the Google Workspace connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-google-workspace): For stable binaries (Windows/Linux/macOS) and container images.
* [GitHub repository](https://github.com/conductorone/baton-google-workspace): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new Google Workspace connector
In C1, navigate to **Integrations** **Connectors** > **Add connector**
Search for **Baton** and click **Add**
Choose whether to add to an existing application or create new
Set the connector owner(s)
Click **Create and add details**
In the **Settings** area, click **Edit**
Click **Rotate** to generate a new Client ID and Secret
Save these credentials securely - you'll need them for the Kubernetes configuration
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Google Workspace connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-google-workspace-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-google-workspace-secrets
type: Opaque
data:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Google Workspace specific credentials
BATON_CUSTOMER_ID:
BATON_DOMAIN:
BATON_ADMINISTRATOR_EMAIL:
BATON_CREDENTIALS_JSON:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
```
**Base64 Encoding:** Use `echo -n "your-value" | base64` to encode your secrets,
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-google-workspace.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-google-workspace
labels:
app: baton-google-workspace
spec:
selector:
matchLabels:
app: baton-google-workspace
template:
metadata:
labels:
app: baton-google-workspace
baton: true
baton-app: google-workspace
spec:
containers:
- name: baton-google-workspace
image: ghcr.io/conductorone/baton-google-workspace:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-google-workspace
envFrom:
- secretRef:
name: baton-google-workspace-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Google Workspace connector to. Google Workspace data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Google Workspace connector is now pulling access data into C1.
### What's next?
If Google Workspace is your company's identity provider (meaning that it is used to SSO into other software), the integration sync will automatically create applications in C1 for all of your SCIMed software. Before you move on, review the [Create applications](/product/admin/applications) page for important information about how to set up integrations with the SCIMed apps.
## Troubleshooting the Google Workspace integration
### When adding permissions to my Google Workspace API Client permissions I get authorization errors
**Example error:**
`error using connector deprovision [attempt #3]: error: delete resource failed: googleapi: Error 403: Request had insufficient authentication scopes. Details: [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "domain": "googleapis.com", "metadata": { "method": "ccc.hosted.frontend.directory.v1.DirectoryUsers.Update", "service": "admin.googleapis.com" }, "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT" } ] More details: Reason: insufficientPermissions, Message: Insufficient Permission`
**To resolve this issue:**
Remove the Google Workspace API Client, then re-add with the correct permissions.
Copy the Client ID.
Delete the API Client.
Add a new Client ID.
Re-add the relevant scopes:
Read-only
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
https://www.googleapis.com/auth/admin.directory.domain.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly
```
Read/Write
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
https://www.googleapis.com/auth/admin.directory.domain.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.rolemanagement, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.datatransfer, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly
```