Why set up provisioning?
Improve the HR - IT flow with provisioning's auto-sync capabilities that automatically create users for new hires, update changes to employees or deactivate users when employees leave.
How Does It Work?
When is a user created in G Suite?
Based on your configuration, bob can create a G Suite user once the user's profile has been created in bob, or based on employees' status in bob.
Possible bob triggers to create a new G Suite user:
- Employee created
- Employee joined
Will employee updates be synced?
You can define when you want bob to sync to G Suite and deactivate users or to sync changes made to employee information in bob. You choose your preferred behavior and field mappings, just contact bob's support team and let us know your preferences.
Possible bob events to trigger syncing:
- Employee updated in bob = User information synced in G Suite (according to defined field mapping)
- Employee activated in bob = User activated in G Suite
- Employee inactivated in bob = User deactivation in G Suite
- Employee deleted in bob = User deactivation in G Suite
By default, employee active/inactive status in bob will be synced to G Suite. There are two additional possible behaviors as specified below. If you'd like to change from the default behavior, please contact bob's support team.
- Use bob employee status: If the bob employee is active, the newly created G Suite user will also be active. If the bob employee is inactive, the newly created G Suite user will be deactivated
- Always Activate: All created G Suite users will be active
- Always Suspend: All created G Suite users will be deactivated
Default user field mapping
You define how bob employee fields will be mapped to G Suite fields. The synchronisation of user information will be according to the user field mappings you define. The below table shows the default field mappings.
Please ensure the field names in bob and G Suite match so the information can be mapped correctly.
Setup in G Suite
The first steps in setting up the bob-G Suite provisioning integration take place in G Suite. You will need to complete the following:
- Enable API access. Follow this link for additional information.
- Create an API Console project (if you don't already have one). Follow this link for additional information.
- Create a service account (without role) as follows:
- From the Google API Console select Credentials and click on Create credentials, Service Account.
- Give the service account a name and click Create.
- Leave the ROLE blank and click Continue.
- In the "Grant users access" page, leave the settings blank, and click Done.
4. Generate a key for the service account:
- In the credentials page, click on the service user that was created.
- Under Keys click on Add Key and choose Create new key.
- Select JSON and click Create. The JSON file will be downloaded to your computer.
5. Enable G Suite Admin SDK API as described here:
- In the Google API Console Dashboard press on Enable APIs and Services.
- Find and enable the Admin SDK.
6. Authorize service account to use the required Google APIs by completing these
- Go to Google Admin Console > Security > Advanced settings and click Domain-wide Delegation.
- Click on Add New.
- Obtain the client_id value from the service account private key you downloaded earlier.
In the above image the client_id value is 111044703125069446382.
- Under Client ID paste the client_id value.
- In the )auth scopes field, set the following value: https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.userschema.readonly
- Click Authorize.
The service account is now authorized to use 2 scopes of the Admin SDK API:
- View and manage the provisioning of users on your domain - needed in order to synchronize bob employees to the Google user directory.
- View user schemas on your domain - needed in order to retrieve the custom fields defined for the Google user profile.
Setup in bob
Once you have completed the G Suite setup steps described above, you can start configuring the integration in bob.
- Go to Settings > Integrations > Provisioning > G Suite.
- Enter a G Suite administrator email address. This must be a Super Admin account or an Admin account with complete Admin API privileges.
- Upload your Google service account private key file (downloaded in step 3 above).
- Enter Default password for newly created G Suite accounts.
- Check the Change password on first login box if you'd like a newly created account user to be prompted to change the default password upon their first visit.
- Click Save.
- Will users created before the G Suite integration was created be synchronized to G Suite? Yes
bob users created before the G Suite integration will be synchronized in G Suite once one of the mapped properties is updated for an employee in bob. Users that have not yet been created in G Suite will be created, while existing users will be updated.
- Is it possible to deactivate all newly created users in G Suite? Yes bob's support team can configure the G Suite integration so that all newly created users will be deactivated. The reverse is also possible: the integration can be configured so that all newly created users will be activated.
Need more help? If you're unsure about anything please send us a message through the chat icon below.