Google Workspace Provisioning integration

Improve the HR - IT flow with provisioning's auto-sync capabilities that automatically create users for new hires, update changes to employees, or deactivate users when employees leave. 

How does it work?

When is a user created in Google Workspace?

Based on your configuration, Bob can create a Google Workspace user once the user's profile has been created in Bob, or based on employees' status in Bob.

Possible Bob triggers to create a new Google Workspace user:

  • Employee created

  • Employee joined

Will employee updates be synced?

You can define when you want bob to sync to Google Workspace and deactivate users or to sync changes made to employee information in Bob. You choose your preferred behavior and field mappings, just contact Bob's support team and let us know your preferences.

Possible Bob events to trigger syncing:

  • Employee updated in bob = User information synced in Google Workspace (according to defined field mapping).

  • Employee activated in bob = User activated in Google Workspace.

  • Employee inactivated in bob = User deactivation in Google Workspace.

  • Employee deleted in bob = User deactivation in Google Workspace.

Behavior

By default, employee active/inactive status in Bob will be synced to Google Workspace. There are two additional possible behaviors as specified below. If you'd like to change from the default behavior, please contact Bob's support team.

  • Use Bob employee status: If the Bob employee is active, the newly created Google Workspace user will also be active. If the bob employee is inactive, the newly created Google Workspace user will be deactivated.

  • Always Activate: All created Google Workspace users will be active.

  • Always Suspend: All created Google Workspace users will be deactivated.

Default user field mapping

You define how Bob employee fields will be mapped to Google Workspace fields. The synchronization of user information will be according to the user field mappings you define. The below table shows the default field mappings.

617ba89ebc82b

Note: Please ensure the field names in Bob and Google Workspace match, so the information can be mapped correctly. 

How to set up in Google Workspace

The first steps in setting up the Bob-Google Workspace provisioning integration take place in Google Workspace. 

  • Enable API access. Follow this link for additional information.  

  • Create an API Console project (if you don't already have one). Follow this link for additional information. 

Create a service account (without role)

  1. From the Google API Console, select Credentials.

  2. Click + Create credentials > Service Account.617ba89faa0d0

  3. Fill in Service account name, then click Create.617ba8a070abc

  4. In the Grant this service access to project section, leave the ROLE empty, then click Continue.617ba8a117c08

  5. In the Grant users access section, leave the settings blank, then click Done.617ba8a1acbbe

Generate a key for the service account

  1. From the Credentials page, click the service user that was created.617ba8a267ee6

  2. From the Keys section, click Add Key > Create new key.617ba8a344cf0

  3. Select JSON, then click Create.
    The JSON file will be downloaded to your computer.617ba8a40cd21

Enable Google Workspace Admin SDK API

  1. From the Google API Console Dashboard, click + Enable APIs and Services.617ba8a4cdaad

  2. Find and enable the Admin SDK.617ba8a585bff

 Authorize service account to use the required Google APIs

  1. From the Google Admin Console, select Security > API Controls.

  2. Click Manage Domain Wide Delegation.617ba8a6575ab

  3. Click Add New.617ba8a73de88

  4. Obtain the client_id value from the service account private key you downloaded earlier. 617ba8a7ed59f

    In the above image, the client_id value is 111044703125069446382.

  5. In Client ID, paste the client_id value.
  6. In the 0auth scopes field, enter the following value:
    https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.userschema.readonly
  7. Click Authorize.617ba8a73de88

The service account is now authorized to use 2 scopes of the Admin SDK API:

  • View and manage the provisioning of users on your domain - needed in order to synchronize bob employees to the Google user directory.

  • View user schemas on your domain - needed in order to retrieve the custom fields defined for the Google user profile.

How to setup in Bob

Once you have completed the Google Workspace setup steps described above, you can start configuring the integration in bob.

  1. From the left menu, select Settings > Integrations.

  2. Select Provisioning.

  3. From the Google Workspace tile, click Connect.

  4. Click Connect.
  5. Enter a Google Workspace administrator email address.
    Note: This must be a Super Admin account or an Admin account with complete Admin API privileges.

  6. Upload your Google service account private key file (downloaded in step 3 above).

  7. Enter Default password for newly created Google Workspace accounts.

  8. Check the Change password on first login box if you'd like a newly created account user to be prompted to change the default password upon their first visit.

  9. Click Apply.
    Screen_Shot_2022-04-12_at_17.25.04.png

FAQs

Will users created before the Google Workspace integration was created be synchronized to Google Workspace?

Yes, Bob users created before the Google Workspace integration will be synchronized in Google Workspace once one of the mapped properties is updated for an employee in Bob. Users that have not yet been created in Google Workspace will be created while existing users will be updated.

Is it possible to deactivate all newly created users in Google Workspace?

Yes, Bob's support team can configure the Google Workspace integration so that all newly created users will be deactivated. The reverse is also possible: the integration can be configured so that all newly created users will be activated.