지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 8.2.1 - Administration Guide for Connecting to Google Workspace

Mapping a Google Workspace environment in One Identity Manager Synchronizing a Google Workspace customer
Setting up initial synchronization of a Google Workspace customer Customizing the synchronization configuration for Google Workspace Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing Google Workspace user accounts and employees
Account definitions for Google Workspace user accounts Assigning employees automatically to Google Workspace user accounts Manually linking employees to Google Workspace user accounts Supported user account types Specifying deferred deletion for Google Workspace user accounts
Login information for Google Workspace user accounts Managing Google Workspace entitlement assignments Mapping of Google Workspace objects in One Identity Manager
Google Workspace customers Google Workspace user accounts Google Workspace groups Google Workspace products and SKUs Google Workspace organizations Google Workspace domains Google Workspace domain aliases Google Workspace admin roles Google Workspace admin privileges Google Workspace admin role assignments Reports about Google Workspace objects
Handling of Google Workspace objects in the Web Portal Basic configuration data for managing a Google Workspace customer Troubleshooting the connection to a Google Workspace customer Configuration parameters for managing a Google Workspace environment Default project template for Google Workspace API scopes for the service account Processing methods of Google Workspace system objects Special features in the assignment of Google Workspace groups

Newly added Google Workspace user accounts are marked as outstanding

If the One Identity Manager database is synchronized shortly after provisioning new user accounts in the customer, these user accounts might be marked as outstanding in One Identity Manager (or deleted, depending on the configuration of the synchronization). This error only occurs if a scope has been defined in the synchronization project for the target system.

Probable reason

Adding new user account in Google Workspace takes about 24 hours. If synchronization with the One Identity Manager database is started within these 24 hours, the error described can occur.

Solution

To prevent this error

  • Avoid declaring a scope for this target system.

If a scope is required

  1. Configure the user account synchronization so that objects that do not exist in One Identity Manager are marked as outstanding.

  2. If the error occurs, run a target system comparison.

    For more information, see Post-processing outstanding objects.

    1. Select the object that have been wrongly marked as outstanding.
    2. Apply the Reset method.

      This removes the Outstanding mark. the next time synchronization is run, the error should not occur.

For more detailed information about defining a scope and specifying handling methods for synchronization steps, see the One Identity Manager Target System Synchronization Reference Guide.

Configuration parameters for managing a Google Workspace environment

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 47: Configuration parameters for synchronizing Google Workspace

Configuration parameter

Meaning if Set

TargetSystem | GoogleApps

Preprocessor relevant configuration parameter for controlling database model components for Google Workspace target system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

TargetSystem | GoogleApps | Accounts

Parameter for configuring Google Workspace user account data.

TargetSystem | GoogleApps | Accounts | InitialRandomPassword

Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | GoogleApps | Accounts | InitialRandomPassword | SendTo

Specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/role, employee’s manager or XUserInserted). If no recipient can be found, the email is sent to the address stored in the configuration parameter TargetSystem | GoogleApps | DefaultAddress.

TargetSystem | GoogleApps | Accounts | InitialRandomPassword | SendTo | MailTemplateAccountName

Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used.

TargetSystem | GoogleApps | Accounts | InitialRandomPassword | SendTo | MailTemplatePassword

Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used.

TargetSystem | GoogleApps | Accounts | MailTemplateDefaultValues

Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.

TargetSystem | GoogleApps | Accounts | PrivilegedAccount

Allows configuration of privileged user account settings.

TargetSystem | GoogleApps | Accounts | TransferJPegPhoto

This configuration parameter specifies whether changes to the employee's picture are published in existing Google Workspace user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.

TargetSystem | GoogleApps | DefaultAddress

Default email address of the recipient for notifications about actions in the target system.

TargetSystem | GoogleApps | MaxFullsyncDuration

Maximum runtime of a synchronization in minutes. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.

TargetSystem | GoogleApps | PersonAutoDefault

Mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem | GoogleApps | PersonAutoDisabledAccounts

Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition.

TargetSystem | GoogleApps | PersonAutoFullsync

Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization.

TargetSystem | GoogleApps | PersonExcludeList

List of all user accounts that must not be automatically assigned to employees. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SUPPORT_.*|.* | $

Default project template for Google Workspace

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

The project template uses mappings for the following schema types.

Table 48: Mapping Google Workspace schema types to tables in the One Identity Manager schema
Schema type in Google Workspace Table in the One Identity Manager Schema
AdminPrivilege GAPPrivilege
AdminRole GAPAdminRole
AdminRoleAssignment GAPOrgAdminRole
Customer GAPCustomer
Domain GAPDomain
DomainAlias GAPDomainAlias
Group GAPGroup
OrgUnit GAPOrgUnit
ProductAndSku GAPPaSku
User GAPUser
UserAddress GAPUserAddress
UserEmail GAPUserEmail
UserExternalId GAPUserExternalId

UserIm

GAPUserIM

UserOrganization

GAPUserOrganization

UserPhone

GAPUserPhone

UserRelation

GAPUserRelation

UserWebsite

GAPUserWebSite

API scopes for the service account

The service account's client ID must be authorized for various API scopes in the Google Admin console:

For read and write access:

https://www.googleapis.com/auth/admin.directory.customer, 
https://www.googleapis.com/auth/admin.directory.device.chromeos, 
https://www.googleapis.com/auth/admin.directory.device.mobile, 
https://www.googleapis.com/auth/admin.directory.device.mobile.action, 
https://www.googleapis.com/auth/admin.directory.domain, 
https://www.googleapis.com/auth/admin.directory.group, 
https://www.googleapis.com/auth/admin.directory.group.member, 
https://www.googleapis.com/auth/admin.directory.notifications, 
https://www.googleapis.com/auth/admin.directory.orgunit, 
https://www.googleapis.com/auth/admin.directory.resource.calendar, 
https://www.googleapis.com/auth/admin.directory.rolemanagement, 
https://www.googleapis.com/auth/admin.directory.user, 
https://www.googleapis.com/auth/admin.directory.user.alias, 
https://www.googleapis.com/auth/admin.directory.user.security, 
https://www.googleapis.com/auth/admin.directory.userschema, 
https://www.googleapis.com/auth/apps.groups.settings, 
https://www.googleapis.com/auth/admin.datatransfer, 
https://www.googleapis.com/auth/apps.licensing

For read-only access:

https://www.googleapis.com/auth/admin.directory.customer.readonly, 
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly, 
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly, 
https://www.googleapis.com/auth/admin.directory.domain.readonly, 
https://www.googleapis.com/auth/admin.directory.group.readonly, 
https://www.googleapis.com/auth/admin.directory.group.member.readonly, 
https://www.googleapis.com/auth/admin.directory.orgunit.readonly, 
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly, 
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, 
https://www.googleapis.com/auth/admin.directory.user.readonly, 
https://www.googleapis.com/auth/admin.directory.user.alias.readonly, 
https://www.googleapis.com/auth/admin.directory.userschema.readonly, 
https://www.googleapis.com/auth/apps.groups.settings, 
https://www.googleapis.com/auth/admin.datatransfer.readonly, 
https://www.googleapis.com/auth/apps.licensing
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택