This document provides a step-by-step guide for customers to integrate their Google Workspace (formerly G Suite) users with the MyCompliance platform.

Please follow the instructions below to set up and manage synchronisation between your Google Workspace and MyCompliance.

Additionally, this guide provides important information on the functionality and background jobs that facilitate the synchronisation process. Please review this information carefully. 

Initial Setup Instructions

1. Admin SDK API

• To allow the provisioning of user accounts into the MyCompliance application, you must first enable the Admin SDK API on your Google Workspace.
• You can follow Google's official guide via this link: https://developers.google.com/workspace/guides/enable-apis

Quick steps

• Navigate to Google Cloud Console > Enabled APIs and services > Admin SDK > Enable.

• Note: You may be required to create a Google project before enabling the API. For instructions, refer to Google's official guide: https://developers.google.com/workspace/guides/create-project

2. Authentication

To secure the server-to-server session, you must use an appropriate authentication mechanism. In this instance, OAuth 2.0 is required by Google when accessing user directory information. Since there are no interactive processes, a service account must be used.

Quick Steps are outlined below, but full instructions from Google are available in the 'References' section below.

Service account creation

• Navigate to Google Cloud Console > Credentials > Create Credentials > Service Account.

Please follow the steps outlined in the guide. You do not need to complete the two optional sections.

3. Service Account Details

We advise using clear, descriptive and standardised naming conventions to indicate the purpose of this service account. Once completed, select Create and Continue.

You will be prompted to provide:

• Service account name
• Service account ID
• Service account description

4. Create a Service Account Key

1. Click on the email address for the service account you created.
2. Click the 'Keys' tab.
3. In the 'Add key' drop-down menu, select Create new key.
4. Select JSON.
5. Click Create.

The generated key file will automatically download to your desktop.

Important: Save this JSON key securely, as you will need to pass this to your MyCompliance representative.

Also, make sure to record the new service account's Client ID, as this will be required in a later step.

5. Delegating Domain-wide Authority to the Service Account

• From your Google Workspace domain's Admin console (https://admin.google.com), go to Main menu > Security > Access and data control > API Controls.
• In the Domain-wide delegation section, select Manage Domain Wide Delegation.
• Click Add new.
• In the Client ID field, enter the service account's Client ID (available on the Service accounts page).
• In the OAuth scopes field (comma-delimited), enter the list of scopes.
  • https://www.googleapis.com/auth/admin.directory.domain.readonly
  • https://www.googleapis.com/auth/admin.directory.user.alias.readonly
  • https://www.googleapis.com/auth/admin.directory.orgunit.readonly
  • https://www.googleapis.com/auth/admin.directory.group.readonly
  • https://www.googleapis.com/auth/admin.directory.group.member.readonly
  • https://www.googleapis.com/auth/admin.directory.user.readonly
• Click Authorize.

References

• Enable Workspace APIs: https://developers.google.com/workspace/guides/enable-apis
• Project Creation: https://developers.google.com/workspace/guides/create-project
• Service Accounts: https://developers.google.com/identity/protocols/oauth2/service-account
• Scopes: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

Integration Instructions

1. Supply Google Workspace Information

The following information must be provided to the MetaCompliance Customer Support team:

• Google Customer ID: This can be found by navigating to Account > Account Settings in Google Workspace.

• List of Domains that exist on your workspace: Navigate to Menu > Directory > Domains.
• Under View Domains, you will see all domains associated with your organisation.

2. Add a Custom Attribute to Users in Google Workspace

To identify which users should be synced with MyCompliance, you will need to create a custom attribute in your Google Workspace.

• Note: Only users with this custom attribute will be synced to the platform.

Steps to adding a custom attribute:

1. Go to the Google Admin console.
2. Navigate to Directory > Users.
3. Select User attributes, then create a new attribute.
4. Add the custom attribute information as required by the MyCompliance platform.

IMPORTANT

Please ensure you follow the exact naming convention provided below.

If you make a mistake after saving the custom attribute name, do not update it. Instead, delete and re-add the custom attribute.

• Category: Sync Info
• Custom Field Name: MetaCompliance
• Custom Field Description: Explanation of what the custom attribute does
• Custom Field Option:
  • Yes or no
  • Visible to user and admin
  • Single Value

* Remember to set this custom attribute to ‘Yes’ for all users you wish to sync with the platform.

3. Initial Sync of Users from Google to MyCompliance

Once the custom attribute has been added to user accounts and the required information has been provided, the MetaCompliance Technical Support team will run an initial sync of user accounts into your tenant.

• After the first nightly sync, any new users will be added automatically.
• Any updates to Google Groups will happen on a nightly basis.
• If SSO has been configured, users will be able to sign in using their Google accounts.

Overview of Nightly Jobs

a. Nightly Synchronisation Jobs

Several automated jobs run nightly to maintain synchronisation between Google Workspace and the MyCompliance platform.

b. Sync Google Users Job

• Time: Runs at 00:00.
• Function: Syncs users from Google Workspace to MyCompliance for the specified domain.

c. Google Webhook Job

• Time: Runs at 01:00 each night.
• Function: Creates a webhook for each domain. This allows MyCompliance to receive real-time updates from Google Workspace for any changes to synced users (e.g. joiners and leavers).

d. Managing Google Groups

Time: Runs at 02:00 each night.

Function: Google Group updates do not automatically sync with MyCompliance. This job processes any group-related changes, such as additions, deletions and membership updates.

User Management on the MyCompliance Platform

Updating MetaCompliance Custom Field Entry from 'Yes' to 'No'

• If a synced user in Google Workspace has their MetaCompliance custom field changed to ‘No’, they will be disabled from MyCompliance, and all assigned targets for content will be removed.
• If the user's Custom Field entry is later changed back to ‘Yes’ on Google Workspace, they will be re-enabled in MyCompliance, and all valid group targets will be restored.

Suspending Users in Google Workspace

When a user is suspended in Google Workspace:

• They will be disabled in MyCompliance.
• All of their targets for content will be removed.
• If the user is reactivated, they will also be re-enabled in MyCompliance, and all valid group targets will be re-enabled.

Archiving Users in Google Workspace

When a user is archived on Google Workspace:

• Their access to MyCompliance will be disabled.
• However, all of their targets for content remain enabled.
• If reactivated, their access to MyCompliance will also be restored.

Deleting Users in Google Workspace

When a user is deleted from Google Workspace:

• They will be disabled in MyCompliance.
• All content targets will be removed.
• After 22 days, the user will be fully deleted from the platform.
• If a user is undeleted within 21 days in Google Workspace, their access to MyCompliance will be re-enabled, and all valid group targets will be restored.

For further assistance or support, please contact the MetaCompliance Support team: support@metacompliance.com.