Skip to main content

Data import

Google Workspace API configuration

Use the following settings to connect to Google Workspace API:

The default queries and mappings require the following claims:

Queries and mappings

Out of the box, the collector imports data for Users, Groups, Assignments between Users and Groups, and Parent/Child relations between nested groups.

Users

Google Workspace Connectivity imports Users as accounts. For theses Users, the technical id of a user is used as business key in Omada Identity, while the primaryEmail on a user is used as account name.

The default attribute set, Google Workspace - User Attributes, is tied to the account resource type. Within this set, the following attributes are imported:

  • givenName - imported as givenName and matched to the FIRSTNAME attribute.
  • familyName - imported as familyName and matched to the LASTNAME attribute.
  • title - imported as title and matched to the JOBTITLE attribute.
  • primaryEmail - imported as primaryEmail and matched to the EMAIL attribute.

Ultimately, reconciliation on attributes is as follows: FIRSTNAME=givenName;LASTNAME=familyName;JOBTITLE=jobtitle

The attribute set also contains an attribute for the initial password.

Groups

Google Workspace Connectivity imports members of groups as resource assignments. Import of group members is limited to ACTIVE members of the type USER and with the role MEMBER. Import of Members is done with the use of a nested lookup. This means that the collector first gets a list of groups and then, for each group, it performs a new lookup to get the members of this group.

warning

This solution may lead to a high number of lookups in a short time. Make sure that the used service account is configured properly to allow it.

Nested groups

Google Workspace Connectivity imports Nested groups as parent/child relationships. Import of members of Nested groups is limited to ACTIVE members of type GROUP and with the role MEMBER. Import of the Nested groups is performed with the use of a nested lookup. This means that the collector first gets a list of groups and then, for each group, it makes a new lookup to get the members of this group, which are also groups.

To unfold the memberships for users that are members of a nested group, ensure to set the Unfold setting in the Advanced task.

warning

This solution leads to a high number of lookups in a short time. Make sure that the used service account is configured properly to allow it.

Account rules

When Google Workspace Connectivity imports accounts, the primaryEmail of the user is imported as the accountName. This default rule to match the account name to the email of the identity is configured in order to ensure high match rate of account ownership during the import.

Configure thresholds

The Configure thresholds function allows you to set the amount of changes that cannot be exceeded, relevant to the last import. In the Configure import thresholds view, type a number (integer) in percentage for New objects, Modified objects, and Deleted objects to enable thresholds for the import of objects from this system.

The value for each operation is by default set to 0, which means that no threshold calculations take place for the operations until you change the integer.

important

For all .NET-based collectors, thresholds are calculated in the following relation:

  • If the system category is set to Identity data, the thresholds are calculated.
  • If the system category is set to Access data, the thresholds are calculated.
  • If the system category set to Both, the thresholds only apply to Access data, that is, Accounts, Resources, and ResourceAssignments.