Subscribe to Help Center RSS FeedThe next step in creating a secure and consistent connection between 黑料海角91入口 and Google Workspace is configuring the integration. You can control the user data that syncs, which platform should be the source (黑料海角91入口 or Google), whether distribution groups are managed from 黑料海角91入口, the email domains that are allowed to sync, and if there is a default domain that should be used.
Prerequisites
- A 黑料海角91入口 administrator account
- 黑料海角91入口 Device Package or higher
- An authorized and active Google Workspace instance
- A Google user account with the following roles:
- Groups Admin (pre-built role)
- User management Admin (pre-built role)
- Custom role with 鈥楧omain Management鈥 admin API privileges
- You have read through the considerations in Get Started: Google Workspace Integration
Attribute Considerations
- The 黑料海角91入口 owned attributes (email, firstname, lastname) are required by Google and bidirectionally sync
- Optional attributes sync one way:
- Attributes set to Import will not be exported from 黑料海角91入口 to Google Workspace
- Attributes set to Export will not be imported from Google Workspace to 黑料海角91入口
- Attributes set to Exclude will not be imported or exported
- Different attributes in the sync can be set to Import or Export, e.g., you can set password to Export and costCenter to Import in the same sync
- The default setting for optional attributes, except user state and password, is Exclude
- The default setting for the user state and password attributes is Export
- The password and manager attributes can only be set to Export or Exclude
- Address attributes 鈥 both the 黑料海角91入口 and Google Workspace APIs allow multiple addresses for a given type. On export, existing Google Workspace addresses for a given type will be replaced with 黑料海角91入口 addresses of that type
Configure User Attributes
After you've authorized the Google Workspace instance in 黑料海角91入口, choose the user attributes you want to import, export or exclude. This functionality allows you to centralize the management of these users.
If no attributes are selected, i.e., all optional attributes are set to Exclude, only the 黑料海角91入口 owned attributes will sync.
Attribute Data Flow
How does attribute data flow between Google Workspace and 黑料海角91入口 after integration?
- When you import a user from Google Workspace 鈥 if data exists for a user鈥檚 attributes in Google Workspace when they are imported, data is written to the equivalent user attributes in 黑料海角91入口
- Importation of these attributes must be done before the user exists in 黑料海角91入口
- When you connect that user to Google Workspace in 黑料海角91入口 鈥 attributes in Google Workspace are automatically overwritten with data from 黑料海角91入口 for the attributes set to Export. Further, any subsequent changes made to the user鈥檚 attributes in 黑料海角91入口 are automatically pushed to the corresponding attributes in Google Workspace
Custom user attributes aren't supported at this time. You may use the existing attributes for something other than their stated purpose as a short term workaround.
User Attribute Import
First name, Last name, and Company email will always be imported from Google Workspace. With the exception of user state and manager, you can choose the optional user attributes that you would like to import from Google Workspace for new users and updates. Your chosen attributes will be mapped from Google Workspace to the corresponding 黑料海角91入口 attribute.
User Attribute Export
First name, Last name, and Company email will always be exported to Google Workspace. You can choose the optional user attributes you would like to export to Google Workspace. Your chosen attributes will be mapped from 黑料海角91入口 to the corresponding Google attribute. If you choose to stop exporting data for an attribute, it is no longer synced with Google Workspace. Subsequent changes made to that attribute in 黑料海角91入口 aren't exported to Google Workspace.
Take caution when selecting attributes to export. After you select an attribute to export to Google Workspace, it is immediately overwritten with data from 黑料海角91入口 for all Google Workspace users managed by 黑料海角91入口, and you could potentially lose data stored for that attribute in Google Workspace.
User Attributes
Required attributes
These attributes are 鈥満诹虾=91入口 owned鈥 and always imported from Google Workspace to 黑料海角91入口, and exported from 黑料海角91入口 to Google Workspace for bound users:
- firstname
- lastname
Optional attributes
Attributes that can only be optionally exported to Google Workspace:
- password *
- manager
Attributes that can optionally be exported to or imported from Google Workspace:
- user state *
- addresses (home)
- addresses (work)
- alternate email
- costCenter
- department
- employeeIdentifier
- employeeType
- jobTitle
- phoneNumbers (home)
- phoneNumbers (mobile)
- phoneNumbers (work)
- phoneNumbers (work_fax)
- phoneNumbers (work_mobile)
(*see Impact of the user state and password settings for additional considerations when making selections for these attributes)
API Attribute Name Table
The following table outlines how attribute data is exported from 黑料海角91入口鈥檚 API and UI to Google Workspace's API and UI. The attribute listed in the 黑料海角91入口 API Attribute Name column is synced to the attribute listed in the Google Workspace API Attribute Name column. The attribute listed in the 黑料海角91入口 UI Attribute Name column is synced to the attribute listed in the Google Workspace UI Attribute Name column. See our for more information.
|
黑料海角91入口 API Attribute Name |
Google Workspace API Attribute Name |
黑料海角91入口 UI Attribute Name |
Google Workspace UI Attribute Name |
|
|---|---|---|---|---|
| primaryEmail | Company Email | Primary email | The domain of the email address may be modified based on the Domains configuration for the Google Workspace Cloud Directory Sync integration. See Configure domains. | |
| firstname | name.firstName | First Name | First name | |
| lastname | name.lastName | Last Name | Last name | |
| password | password | Password | Password | 黑料海角91入口 will push a password write to GWS upon every login to the 黑料海角91入口 User Portal. See Manage Passwords in External Directories from 黑料海角91入口 (Password Takeover). |
| user state | status | User State | status | |
| addresses (home) | addresses (home) | |||
| addresses (work) | addresses (work) | |||
| alternateEmail | Emails (other) | Alternate Email | Secondary Email | |
| costCenter | organization.costCenter | Cost Center | Cost center | |
| department | organization.department | Department | Department | |
| employeeIdentifier | externalId.value | Employee ID | Employee ID | |
| employeeType | organization.description | Employee Type | Employee type | |
| job.Title | organization title | Job Title | Job title | |
| manager | relations (manager) | Manager | Manager's Email |
Google Workspace stores the Manager鈥檚 email in the relations array with a type of 鈥渕anager鈥. Manager is a relational attribute in 黑料海角91入口, meaning we use the unique ID of the Manager.
Export: 黑料海角91入口 will add the Manager鈥檚 email to relations. 黑料海角91入口 will add the Manager鈥檚 email address to the 鈥淢anager鈥檚 email鈥 field. |
| phoneNumbers (home) | phones (home) | Home Phone | Phone (Home) | |
| phoneNumbers (mobile) | phones (mobile) | Personal Cell | Phone (Mobile) | |
| phoneNumbers (work) | phones (work) | Work Phone | ||
| phoneNumbers (work_fax) | phones (work_fax) | Work Fax | - |
Data exported for this attribute is viewable only in the Google Workspace API. |
| phoneNumbers (work_mobile) | phones (work_mobile) | Work Cell | - |
Data exported for this attribute is viewable only in the Google Workspace API. |
To select attributes to export or import
- Log in to the .
- Go to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory you want to select user attributes for.
- In the Attribute mapping and settings section, select the non-default user attributes you want to import or export with Google Workspace.
You can't clear default user attributes.
- Click Save.
If you want user attributes to sync (export) from 黑料海角91入口 to Google Workspace, connect 黑料海角91入口 users to Google Workspace.
Directory Insights Events
Anytime you change the direction of an attribute, a Directory Insights event is generated. Previously, these events were:
- translationrule_create
- translationrule_delete
If you see an event with these names in your Directory Insights logs, they will roll off once your maximum retention period is exhausted. Going forward, the Directory Insights events generated from attribution selections are:
- integrationattribute_exclude
- Generated when an attribute is set to 鈥淓xclude鈥.
- Ex: You change the Department attribute from 鈥淚mport鈥 to 鈥淓xclude鈥
- Generated when an attribute is set to 鈥淓xclude鈥.
- integrationattribute_include
- Generated when an attribute is set to 鈥淚mport鈥 or 鈥淓xport鈥.
- Ex: You change the Department attribute from 鈥淓xclude鈥 to 鈥淚mport鈥
- Ex: You change the Department attribute from 鈥淚mport鈥 to 鈥淓xport鈥
- Generated when an attribute is set to 鈥淚mport鈥 or 鈥淓xport鈥.
These events will capture attribute ownership/direction changes, including the admin that made the change, and the directory integration in which the change occurred.
Configure User Password Settings
In the Admin Portal, there are Password Configuration Settings that allow you to customize what happens to a user鈥檚 account in Google Workspace when their 黑料海角91入口 password gets locked out or expires. These settings are impacted by your selections for password and user state attributes in the Attribute mapping and settings section.
To access the Password Configurations settings
- Log in to the .
- Navigate to Settings > Security > Password Configurations > Google Workspace.
- Under your Google Workspace instance, select your desired options for Password Expiration and Account Lockout.
- After any changes are made, click Save.
Impact of the user state and password settings
The table below shows how the settings for password and user state attributes impact the the Password Configurations settings for password expiration and account lockout.
| Password attribute setting | User State setting | Default Password Expiration setting | Default Account Lockout setting | |||
| Maintain Users | Suspend Users | Remove Access | Maintain Users | Suspend Users | ||
| Exclude | Export, Import, or Exclude |
 |
|
|||
| Export | Export |
|
|
|||
| Import or Exclude |
|
|
||||
Configure Google Workspace Group(s) Management
The integration supports the creation and management of distribution groups in Google Workspace from 黑料海角91入口. This functionality allows you to centralize the management of these groups and group memberships in 黑料海角91入口.
Considerations
- After you enable group management, changes made to groups in 黑料海角91入口 are synced to distribution groups in Google Workspace. Changes only sync from 黑料海角91入口 to Google Workspace. Changes made to groups in Google Workspace aren鈥檛 synced to 黑料海角91入口
- If you disable group and membership management, no further changes will be made to distribution groups in Google Workspace. The groups will remain exactly as they were at the time the functionality was disabled
- It can take some time for new groups to appear in the Google Groups directory. See Google鈥檚 Admin Help:
- Managing a Google dynamic group from 黑料海角91入口 is not supported. Making manual changes to members of a Google dynamic group is not allowed and will fail with an Error 412: Condition not met, conditionNotMet error.
- You can sync a 黑料海角91入口 dynamic group to a static group in Google
- If you have a group in 黑料海角91入口 with the same name and email as a dynamic group in 黑料海角91入口, do not add the email for the group in the Users Group tab to prevent group memberships errors
To enable Google Workspace group management
- Navigate to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory you want to manage groups for.
- In the Google Workspace Sync section of the Details tab, select Enable management of groups and memberships in Google Workspace.
- Click Save.
- If you have not already granted the groups permission, you will be redirected to the Google Workspace authorization flow.
- Enter the email address for the Google Workspace admin account you are using for the integration if prompted.
- Enter the password for the Google Workspace admin account you are using for the integration if prompted.
- Click Allow.
After you enable group management for your Google Workspace directory sync integration in 黑料海角91入口, you must add the email attribute for user groups bound to that Google Workspace directory. If you don't add an email address to these groups, users in bound groups could be suspended until one is added.
To specify Distribution Groups
Considerations
- If you remove a distribution group鈥檚 email address, the group and its memberships are no longer synced with Google Workspace
- If you change a distribution group鈥檚 email address, the members of the group are moved to the distribution group of the email address you specify
To specify a Google Workspace Distribution Group
Ensure that Enable management of groups and memberships in Google Workspace is enabled in your Google Workspace Integration.
- Navigate to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory to which you want to manage groups.
- Select the User Groups tab.
- In your desired group, add an email address in the Distribution Group Email field.
- Click Save.
When you associate 黑料海角91入口 user groups to a Google Workspace directory, users in those groups are added to those same distribution groups in Google Workspace. Distribution group membership, in addition to user attributes and passwords, will be synced. See Giving 黑料海角91入口 Users Access to Google Workspace to learn how to associate user groups to a Google Workspace Directory.
Configure domain(s)
Specify one or more domains as part of the integration configuration to have more granular control over which user accounts sync and how the translation rule for the email to User Principal Name (UPN) mapping is applied. There are three (3) possible configurations: no domains, a list of one or more domains but no default, and a list of one or more domains with one of those domains used as a default for the UPN translation rule. Each configuration is described in more detail below.
- If no domains are configured, the user鈥檚 company email is not checked and sent as is. The user syncs as long as their email domain matches one of the verified domains in the Google Workspace instance
- If one or more domains is configured and the No default option is selected, the user鈥檚 company email is checked against the domains listed. Only users with matching email domains are synced
- If one or more domains is configured and one of the domains is selected to Use as default, the user鈥檚 company email is checked against the domains listed
- If the domain matches one of the domains in the list, the email address is sent as is
- If the domain does not match one of the domains in the list, the email value sent as the Primary Email will be the username portion of the company email address and the default domain
Examples of how domains are used by the integration.
| Domains Configuration | Source email(黑料海角91入口 Company Email) | Sync results | Primary Email value sent to Cloud Directory |
|---|---|---|---|
| No domains | [email protected] | Synced | [email protected] |
| [email protected] | Synced | [email protected] | |
| [email protected] | Sync failed | [email protected] | |
| Domains list = (mydomain.com, alternatedomain.com )&no default selected | [email protected] | Synced | [email protected] |
| [email protected] | Synced | [email protected] | |
| [email protected] | N/A - user skipped | N/A | |
| Domains list = (mydomain.com, alternatedomain.com )&mydomain.com selected to use as default | [email protected] | Synced | [email protected] |
| [email protected] | Synced | [email protected] | |
| [email protected] | Synced | [email protected] |
To add domains
- Log in to the .
- Navigate to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory instance.
- In the Google Workspace Domain(s) section, click +Add Domain.
- The first time you add a domain, you will be redirected to the authorization flow to approve the domains permission.
- If prompted, enter the email address for the Google Workspace admin account you want to use for the integration and the password for that account on the subsequent screen.
- Enter the password for that account if prompted.
If you enabled group management in this session, you will also see the group's permission in the list of permissions.
- Click Allow.
- You will be redirected back to the configuration page of for the Google Workspace integration
- Click the domain dropdown menu.
- Select one of the domains from the list.
The list is pulled dynamically from Google Workspace and only includes . The domain noted with (Primary), is the domain specified as the primary domain for that Google Workspace instance. That label is separate from the 鈥楿se as default鈥 option within the integration configuration in 黑料海角91入口.
- Repeat steps 4-6 to add additional domains.
- Click Save.
To enable a default domain
- Log in to the .
- Navigate to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory instance.
- In the Google Workspace Domain(s) section, select the radio button next to one of the domains to use that domain for the PrimaryEmail translation rule (default domain).
- Click Save.
Step 1
In this Article
Learn More