Get instant support with our search!
Customer Implementation Guide: Adding G Suite users to the MyCompliance platform
This document provides a step-by-step guide for customers to integrate their Google Workspace (formerly G Suite) users with the MyCompliance platform.
Please follow these instructions to set up and manage synchronisation between your Google Workspace and MyCompliance.
Also provided here is some additional information on the functionality and the jobs that run to facilitate the synchronisation. Please take note of this information.
Initial Setup Instructions
1. Admin SDK API
- To allow the provisioning of your user accounts into the MyCompliance application, the following API must be enabled on your Google workspace: Admin SDK API.
- To do this, you can follow the official guide from Google: https://developers.google.com/workspace/guides/enable-apis
Quick steps:
- Navigate to Google Cloud Console > Enabled APIs and services > Admin SDK > Enable.
- As a pre-requisite for this, you may be required to create a Google project. For instructions on this, please follow the official Google guide: https://developers.google.com/workspace/guides/create-project
2. Authentication
To secure the server-to-server session, you must use an appropriate authentication mechanism. In this instance, you will use OAuth 2.0. This is a Google requirement when accessing user directory information. As there are no interactive processes, a service account must be used.
Quick Steps are included below, but full instructions from Google are available in the 'References' section below.
- Service account creation: Navigate to Google Cloud Console > Credentials > Create Credentials > Service Account.
Please complete the following options in the guide. You do not need to complete the two optional sections.
3. Service Account Details
We advise to use descriptive and standard naming conventions to make it clear the use case of this account. When completed, select Create and Continue.
- Service account name
- Service account ID
- Service account description
4. Create a service account key
- Click on the email address for the service account you created.
- Click the 'Keys' tab.
- In the 'Add key' drop-down list, select Create new key.
- Select JSON.
- Click Create.
- The generated key file should auto download to your desktop.
- Save this JSON key securely, as you will need to pass this to your MyCompliance representative.
- Record the new service accounts client ID. You will need this later.
5. Delegating domain-wide authority to the service account
- From your Google Workspace domain's Admin console (https://admin.google.com), go to Main menu > Security > Access and data control > API Controls.
- In the Domain wide delegation pane, select Manage Domain Wide Delegation.
- Click Add new.
- In the Client ID field, enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
- In the OAuth scopes (comma-delimited) field, enter the list of scopes.
- https://www.googleapis.com/auth/admin.directory.domain.readonly
- https://www.googleapis.com/auth/admin.directory.user.alias.readonly
- https://www.googleapis.com/auth/admin.directory.orgunit.readonly
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.group.member.readonly
- https://www.googleapis.com/auth/admin.directory.user.readonly
- Click Authorize.
References
- Enable Workspace APIs: https://developers.google.com/workspace/guides/enable-apis
- Project Creation: https://developers.google.com/workspace/guides/create-project
- Service Accounts: https://developers.google.com/identity/protocols/oauth2/service-account
- Scopes: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
Integration Instructions
1. Supply Google Workspace Information
The following information will need to be provided to the MetaCompliance Customer Support team:
- Google CustomerID – This can be found within Account > Account Settings on Google. Workspace.
-
List of Domains that exist on your workspace - Navigate to Domains via Menu > Directory > Domains.
- View Domains: Here, you can see all of the domains associated with your organisation.
2. Add a custom attribute to users in Google Workspace
To identify which users should be synced with MyCompliance, you will need to create a custom attribute in your Google Workspace.
- Note: Only users with this custom attribute will be synced to the platform.
Steps to adding a custom attribute:
- Go to the Google Admin console.
- Navigate to Directory > Users.
- Select User attributes, and create a new attribute.
- Add the custom attribute information as required by the MyCompliance platform.
IMPORTANT!
Please ensure that you follow the exact naming convention provided below.
If you have made a mistake after saving the custom attribute name, please delete and re-add the custom attribute. Do not update.
- Category: Sync Info
- Custom Field Name: MetaCompliance
- Custom Field Description: Explanation of what the custom attribute does
-
Custom Field Option:
- Yes/No
- Visible to user and admin
- Single Value
* Remember to set this custom attribute to ‘Yes’ for to all the users you wish to sync into the platform.
3. Initial sync of users from Google to MyCompliance
Once you have the custom attribute added to user accounts, and the information has been provided, the MetaCompliance Technical Support team will run an initial sync of user accounts into your tenant.
- After the 1st nightly sync, any new users will be added automatically.
- Any updates to Google Group will happen on a nightly basis.
- If SSO has been set up, users will be allowed to sign in with the Google accounts.
Overview of Nightly Jobs
a. Nightly Synchronisation Jobs
Several automated jobs run nightly to keep the Google Workspace and MyCompliance platform in sync.
b. Sync Google Users Job
- Time: Runs at 00:00.
- Function: It syncs users from Google Workspace to MyCompliance for the specified domain.
c. Google Webhook Job
- Time: Runs at 01:00 each night.
- Function: Creates a webhook for each domain. This webhook allows MyCompliance to receive updates from Google Workspace for any instant changes made to synced users, e.g. joiners and leavers will be updated automatically.
d. Managing Google Groups
Time: Runs at 02:00 each night.
Function: Group updates in Google Workspace do not automatically sync with MyCompliance. This job runs to process any group-related changes, such as additions, deletions, or membership updates.
User Management on the MyCompliance platform
Updating MetaCompliance Custom Field Entry from 'Yes' to 'No'
- If a synced user on Google Workspace has their MetaCompliance custom field updated to ‘No’, they will be disabled from MyCompliance, and all of their targets for content will be removed.
- If the user's MetaCompliance Custom Field entry is later changed to ‘Yes’ on Google Workspace, they will be re-enabled on MyCompliance and all valid group targets will be re-enabled.
Suspending Users in Google Workspace
- When a user is suspended on Google Workspace, they will be disabled on MyCompliance and all of their targets for content will be removed.
- If re-activated on Google Workspace, they will also be re-enabled on MyCompliance and all valid group targets will be re-enabled.
Archiving Users in Google Workspace
- When a user is archived on Google Workspace, their access to MyCompliance will be disabled; however, all of their targets for content remain enabled.
- If re-activated on Google Workspace, their access will also be re-enabled on MyCompliance.
Deleting Users in Google Workspace
- When a user is deleted from Google Workspace, they will be disabled on MyCompliance and all content targets will be removed. After 22 days, the user will be fully deleted from the platform.
- If a user is undeleted within 21 days on Google Workspace, their access on MyCompliance will be enabled, and all valid group targets will be re-enabled.
For further assistance or support, please contact the MetaCompliance Support team: support@metacompliance.com.