Why set up provisioning?
Improve the HR - IT flow with provisioning's auto-sync capabilities that automatically create users for new hires, update changes to employees, or deactivate users when employees leave.
How Does It Work?
When is a user created in Google Workspace?
Based on your configuration, bob can create a Google Workspace user once the user's profile has been created in bob, or based on employees' status in bob.
Possible bob triggers to create a new Google Workspace user:
Will employee updates be synced?
You can define when you want bob to sync to Google Workspace and deactivate users or to sync changes made to employee information in bob. You choose your preferred behavior and field mappings, just contact bob's support team and let us know your preferences.
Possible bob events to trigger syncing:
Employee updated in bob = User information synced in Google Workspace (according to defined field mapping)
Employee activated in bob = User activated in Google Workspace
Employee inactivated in bob = User deactivation in Google Workspace
Employee deleted in bob = User deactivation in Google Workspace
By default, employee active/inactive status in bob will be synced to Google Workspace. There are two additional possible behaviors as specified below. If you'd like to change from the default behavior, please contact bob's support team.
Use bob employee status: If the bob employee is active, the newly created Google Workspace user will also be active. If the bob employee is inactive, the newly created Google Workspace user will be deactivated
Always Activate: All created Google Workspace users will be active
Always Suspend: All created Google Workspace users will be deactivated
Default user field mapping
You define how bob employee fields will be mapped to Google Workspace fields. The synchronization of user information will be according to the user field mappings you define. The below table shows the default field mappings.
Please ensure the field names in bob and Google Workspace match, so the information can be mapped correctly.
Setup in Google Workspace
The first steps in setting up the bob-Google Workspace provisioning integration take place in Google Workspace. You will need to complete the following:
Enable API access. Follow this link for additional information.
Create an API Console project (if you don't already have one). Follow this link for additional information.
Create a service account (without role) as follows:
From the Google API Console select Credentials and click on Create credentials, Service Account.
Give the service account a name and click Create.
Leave the ROLE blank and click Continue.
In the "Grant users access" page, leave the settings blank, and click Done.
4. Generate a key for the service account:
In the credentials page, click on the service user that was created.
Under Keys click on Add Key and choose Create new key.
Select JSON and click Create. The JSON file will be downloaded to your computer.
5. Enable Google Workspace Admin SDK API as described here:
In the Google API Console Dashboard press on Enable APIs and Services.
Find and enable the Admin SDK.
6. Authorize service account to use the required Google APIs by completing these
Go to Google Admin Console > Security > API Controls and click Manage Domain Wide Delegation.
Click on Add New.
Obtain the client_id value from the service account private key you downloaded earlier.
In the above image, the client_id value is 111044703125069446382.
Under Client ID paste the client_id value.
In the 0auth scopes field, enter the following value: https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.userschema.readonly
The service account is now authorized to use 2 scopes of the Admin SDK API:
View and manage the provisioning of users on your domain - needed in order to synchronize bob employees to the Google user directory.
View user schemas on your domain - needed in order to retrieve the custom fields defined for the Google user profile.
Setup in bob
Once you have completed the Google Workspace setup steps described above, you can start configuring the integration in bob.
Go to Settings > Integrations > Provisioning > Google Workspace.
Enter a Google Workspace administrator email address. This must be a Super Admin account or an Admin account with complete Admin API privileges.
Upload your Google service account private key file (downloaded in step 3 above).
Enter Default password for newly created Google Workspace accounts.
Check the Change password on first login box if you'd like a newly created account user to be prompted to change the default password upon their first visit.
Will users created before the Google Workspace integration was created be synchronized to Google Workspace? Yes
bob users created before the Google Workspace integration will be synchronized in Google Workspace once one of the mapped properties is updated for an employee in bob. Users that have not yet been created in Google Workspace will be created while existing users will be updated.
Is it possible to deactivate all newly created users in Google Workspace? Yes bob's support team can configure the Google Workspace integration so that all newly created users will be deactivated. The reverse is also possible: the integration can be configured so that all newly created users will be activated.
Need more help? If you're unsure about anything please send us a message through the chat icon below.