Google Directory Connection¶
Google Directory is a cloud-based directory service in which customers can manage user accounts, configure administrator settings for their Google Workspace services, monitor Google Workspace usage in their domain, create groups, and more.
Though many companies use Azure AD and on-premises AD as they are popular, recently, some companies have shifted towards Google Directory, especially from the educational field. Users should be able to define profile mappings and group mappings for the entire employment lifecycle. The flow should be able to create or update employee profiles, adding or removing memberships.
Google Directory application on hire2retire uses OAuth authorization. By linking your Google Directory account with hire2retire, you can authorize RoboMQ to have a delegated access on your behalf. RoboMQ needs the following permissions on your account to provide a seamless integration experience:
| Scopes | Explanation |
|---|---|
| admin.directory.orgunit.readonly | Scope for only retrieving organizational units. |
| admin.directory.userschema.readonly | Scope for only retrieving custom user schemas. |
| admin.directory.user | Global scope for access to all user and user alias operations. |
| admin.directory.group | Global scope for access to all group operations, including group aliases and members. |
| cloud-identity.groups.readonly | Cloud Identity Groups that you can access, including group members and their emails. |
| offline_access | Maintain access to data you have given it access to. When a user approves the offline_access scope, Hire2retire can receive refresh tokens from the google identity platform token endpoint. Refresh tokens are long-lived. Hire2retire can get new access tokens as older ones expire. |
Google User, Admin roles and privileges.¶
In Google Directory, if another administrator or non-administrator needs to manage Google Directory resources, you assign them a Google Directory role that provides the permissions they need. Required permission to perform all the employment lifecycle operations in Google Directory application on hire2retire is User Administrator
| Role | Description |
|---|---|
| User Administrator | Can manage all aspects of users and groups, including resetting passwords for limited admins. |
How to Give User Administrator Role¶
Following are the steps to give User Administrator role:-
-
Login in Google Directory portal, and open the user from directory to which you want to assign User Administrator role.
Figure 1. Shows Assigned Role option on Google Directory portal -
Choose assign roles in Admin roles and privileges and assign the roles from the list to the user.
Figure 2. Shows Assign Role lists on Google Directory portal -
Enable the assigned states for the specified user and save it.
Figure 3. Shows Add Assignment option and save on Google Directory portal -
User Assignments role will be assigned when enabling the particular roles. It might take some time, wait for few seconds and refresh the page again.
Figure 4. Shows Assigned Role on Google Directory portal
Create a Connection¶
You need to have a Google Directory account before using Google Directory application on hire2retire.
You can find the Customer ID in Google Workspace Admin Console: Go to Google Workspace Admin Console > Account Settings > Profile > Customer ID
On clicking the 'Link Account' button, you will be redirected to Google Account Authorization screen. and then enter the account details to use the Google Directory for this flow
One also need admin consent. After entering acount details you will be redirected to google admin approval pannel, enter justification for requesting and click on Request approval.
By allowing access, you are authorizing RoboMQ to access your Google Directory account and make changes based on changes in HR data.