サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.2 - Administration Guide for Connecting to Google Workspace

Mapping a Google Workspace environment in One Identity Manager Synchronizing a Google Workspace customer
Setting up initial synchronization of a Google Workspace customer Customizing the synchronization configuration for Google Workspace Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Google Workspace user accounts and identities
Account definitions for Google Workspace user accounts Assigning identities automatically to Google Workspace user accounts Manually linking identities to Google Workspace user accounts Supported user account types Specifying deferred deletion for Google Workspace user accounts
Login credentials for Google Workspace user accounts Managing Google Workspace entitlement assignments Mapping Google Workspace objects in One Identity Manager
Google Workspace customers Google Workspace user accounts Google Workspace groups Google Workspace products and SKUs Google Workspace organizations Google Workspace domains Google Workspace domain aliases Google Workspace admin roles Google Workspace admin privileges Google Workspace admin role assignments Google Workspace external email addresses Reports about Google Workspace objects
Handling of Google Workspace objects in the Web Portal Basic configuration data for managing a Google Workspace customer Troubleshooting the connection to a Google Workspace customer Configuration parameters for managing a Google Workspace environment Default project template for Google Workspace API scopes for the service account Processing methods of Google Workspace system objects Special features in the assignment of Google Workspace groups

Advanced settings for the system connection to Google Workspace

You can make various additional changes to the target system connection settings, for example, defining the number of retries or timeouts. When you set up synchronization for the first time, these system connection properties are set to default values. You can modify the default values to help analysis of synchronization problems, for example.

There are two ways to change the default values.

  1. Specify a specialized variable set and change the values of the affected variables. (Recommended action).

    The default values remain untouched in the default variable set. The variables can be reset to the default values at any time.

    For more information, see Editing connection parameters in the variable set.

  2. Edit the target system connection with the system connection wizard and change the effected values.

    The system connection wizard supplies additional explanations of the settings. The default values can only be restored under particular conditions.

    For more information, see Editing target system connection properties.

NOTE: If the project wizard is started directly from the Synchronization Editor when you set up initial synchronization, you can edit the advanced settings when you set up the synchronization project. In this case, the default values are immediately overwritten by your settings.
Table 9: Target system connection advanced settings

Property

Description

Read-only API access

Specifies whether the API scopes were only entered for read-only access in the Google Admin Console Enable this option if no write access to the target system may be assigned. The connector only has read access to the target system.

  • The service account's client ID must be authorized for various API scopes in the Google Admin console: A list of API scopes is available on the One Identity Manager installation medium. You can use this list as a copy template.

    Directory: Modules\GAP\dvd\AddOn\ApiAccess

    File: GoogleWorkspaceRequiredAPIAccessReadOnly.txt

If this option is disabled, read-write access is possible. Other API scopes must be authorized for this.

Use the local cache

Specifies whether the Google Workspace connector's local cache is used.

Local cache is used to prevent the API contingent from being exceeded through synchronization. Accesses to Google Workspace are minimized during full synchronization. The option is ignored during provisioning.

This option is set by default and can be disabled for troubleshooting.

For more information about this, see the One Identity Manager Target System Synchronization Reference Guide.

Polling count

Specifies how many attempts are made to load a new value into the target system during provisioning or synchronization before an error occurs.

The result of saving certain user account properties (such as phone numbers or Instant Messenger settings) appears after a delay in Google Workspace and cannot be used for other operations straightaway.

Batch retry count

Specifies the number of retries allowed for failed batch operations in the target system, for example, when synchronizing group memberships.

Batch timeout

Timeout between retries of failed batch operations.

Transfer user data before delete

Specifies whether Google application user data is transferred to a different user account before user accounts are deleted.

User data such as Google Drive data, Google+ pages, and Google calendar, can be transferred to a different user account before final deletion.

Variable: CP_TransferUserDataBeforeDelete

User data transfer XML

Google application user data is transferred to a different user account before user accounts are deleted. By default all user data is transferred. To replace the default list, an XML document can be stored here.

To restore the default list, delete the XML document.

Example of a user data transfer XML

<Applications>
    <Application name="Drive and Docs">
        <TransferParam key="PRIVACY_LEVEL">
            <TransferValue value="SHARED" />
            <TransferValue value="PRIVATE" />
        </TransferParam>        
    </Application>
    <Application name="Calendar">
        <TransferParam key="RELEASE_RESOURCES">
            <TransferValue value="TRUE" />
        </TransferParam>        
    </Application>    
    <Application name="Google+" />
</Applications>

This connection parameter cannot be converted to a variable.

Default email address for data transfer

Default email address of the destination user account for the transfer of user data when a user account is deleted. The email address of the destination user account belongs to the primary domain of the customer to which the deleted user account belongs.

This email address is used if no email address can be determined by the manager of the deleted user account.

Variable: CP_DefaultDataTransferTargetEmail

Products and SKUs XML

Product IDs and Stock keeping unit IDs as XML file.

The list of available products and SKUs is defined by Google and therefore fixed in the Google Workspace connector. If Google changes this list, you can enter an XML file here that overwrites the list in the Google Workspace connector.

To restore the default list, delete the XML document.

Example of a Products and SKUs XML

<products>
    <product name="Google Workspace" id="Google-Apps">
        <sku id="Google-Apps-Unlimited" name="Google Workspace Business"/>
        <sku id="Google-Apps-For-Business" name="Google Workspace Basic" />
        <sku id="Google-Apps-Lite" name="oogle Workspace Lite"/>
        <sku id="Google-Apps-For-Postini" name="Google Apps Message Security"/>
    </product>
    <product name="Google Drive storage" id="Google-Drive-storage">
        <sku id="Google-Drive-storage-20GB" name="Google Drive storage 20 GB"/>
        <sku id="Google-Drive-storage-50GB" name="Google Drive storage 50 GB"/>
        <...>
        <sku id="Google-Drive-storage-16TB" name="Google Drive storage 16 TB"/>
    </product>
    <...>
</products>

This connection parameter cannot be converted to a variable.

Related topics

Editing connection parameters in the variable set

The connection parameters for advanced settings were saved as variables in the default variable when synchronization was set up. You can change the values in these variables to suit you requirements and assign the variable set to a start up configuration and a base object. This means that you always have the option to use default values from the default variable set.

NOTE: To guarantee data consistency in the connected target system, ensure that the start-up configuration for synchronization and the base object for provisioning use the same variable set. This especially applies if a synchronization project is used for synchronizing different customers.

To customize connection parameters in a specialized variable set

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

  3. Open the Connection parameters view.

    Some connection parameters can be converted to variables here. For other parameters, variables are already created.

  4. Select one of the following parameters and click Convert.

    • Polling count

    • Batch retry count

    • Batch timeout

    • Use the local cache

    • Read-only API access

  5. Select the Configuration > Variables category.

    All specialized variable sets are shown in the lower part of the document view.

  6. Select a specialized variable set or click on in the variable set view's toolbar.

    • To rename the variable set, select the variable set and click the variable set view in the toolbar . Enter a name for the variable set.

  7. Select the previously added variable and enter a new value.

  8. Select the Configuration > Start up configurations category.

  9. Select a start up configuration and click Edit.

  10. Select the General tab.

  11. Select the specialized variable set in the Variable set menu.

  12. Select the Configuration > Base objects category.

  13. Select the base object and click .

    - OR -

    To add a new base object, click .

  14. Select the specialized variable set in the Variable set menu.

  15. Save the changes.

For more information about using variables and variable sets, or restoring default values and adding base objects, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Editing target system connection properties

The advanced settings of the target system connection can be changed using the system connection wizard. If variables are defined for the settings, the changes are transferred to the active variable set.

NOTE: In the following circumstances, the default values cannot be restored:

  • The connection parameters are not defined as variables.

  • The default variable set is selected as an active variable set.

In both these cases, the system connection wizard overwrites the default values. They cannot be restored at a later time.

To edit advanced settings with the system connection wizard

  1. In the Synchronization Editor, open the synchronization project.

  2. In the toolbar, select the active variable set to be used for the connection to the target system.

    NOTE: If the default variable set is selected, the default values are overwritten and cannot be restored at a later time.

  3. Select the Configuration > Target system category.

  4. Click Edit connection.

    This starts the system connection wizard.

  1. On the system connection wizard's start page, enable Show advanced options.

  2. On the Google Workspace administrators page, you can also enable the Read-only API access option.

    When you test the connection, a check is carried out to verify if the appropriate API scopes are authorized.

  3. On the Local cache page, you can set the Use the local cache option.

  4. Customize the properties as required on the Advanced settings page.

  5. Save the changes.
Detailed information about this topic

Configuring the provisioning of memberships

Memberships, such as user accounts in groups, are saved in assignment tables in the One Identity Manager database. During provisioning of modified memberships, changes made in the target system may be overwritten. This behavior can occur under the following conditions:

  • Memberships are saved as an object property in list form in the target system.

    Example: List of user accounts in the Member property of a Google Workspace group (Group)

  • Memberships can be modified in either of the connected systems.

  • A provisioning workflow and provisioning processes are set up.

If one membership in One Identity Manager changes, by default, the complete list of members is transferred to the target system. Therefore, memberships that were previously added to the target system are removed in the process and previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. The corresponding behavior is configured separately for each assignment table.

To allow separate provisioning of memberships

  1. In the Manager, select the Google Workspace > Basic configuration data > Target system types category.

  2. In the result list, select the Google Workspace target system type.

  3. Select the Configure tables for publishing task.

  4. Select the assignment tables that you want to set up for single provisioning. Multi-select is possible.

  5. Click Merge mode.

    NOTE:

    • This option can only be enabled for assignment tables that have a base table with a XDateSubItem column.

    • Assignment tables that are grouped together in a virtual schema property in the mapping must be marked identically.

  6. Save the changes.

For each assignment table labeled like this, the changes made in One Identity Manager are saved in a separate table. Therefore, only newly added and deleted assignments are processed. During modification provisioning, the members list in the target system is compared to the entries in this table. This means that only modified memberships are provisioned and not the entire members list.

NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.

You can restrict single provisioning of memberships with a condition. Once merge mode has been disabled for a table, the condition is deleted. Tables that have had the condition deleted or edited are marked with the following icon: . You can restore the original condition at any time.

To restore the original condition

  1. Select the auxiliary table for which you want to restore the condition.

  2. Right-click on the selected row and select the Restore original values context menu item.

  3. Save the changes.

NOTE: To create the reference to the added or deleted assignments in the condition, use the i table alias.

Example of a condition on the GAPUserInPaSku assignment table:

exists (select top 1 1 from GAPPaSku g
where g.UID_GAPPaSku = i.UID_GAPPaSku
and <limiting condition>)

For more information about provisioning memberships, see the One Identity Manager Target System Synchronization Reference Guide.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択