# Google Workspace ## Overview Euno integrates with Google Workspace to observe users and groups from your identity and access management system. This integration enables you to track user accounts, groups, and group memberships in your data model, providing visibility into organizational structure and access patterns. Euno's Google Workspace integration supports auto-discovery of the following resources: * Users (`user`) * User groups (`user_group`) ## Requirements To ingest metadata from Google Workspace, you will need: * A Google Workspace organization account * Domain-wide delegation configured for Euno's service account * The service account's client ID must be authorized in Google Workspace Admin Console with the following OAuth scopes: * `https://www.googleapis.com/auth/admin.directory.user.readonly` - Read user information * `https://www.googleapis.com/auth/admin.directory.group.readonly` - Read group information ## Setup Instructions ### Step 1: Configure Domain-Wide Delegation in Google Workspace 1. Sign in to your [Google Admin Console](https://admin.google.com/) 2. Navigate to **Security** → **Access and data control** → **API Controls** 3. Under **Domain-wide delegation**, click **Manage Domain Wide Delegation** 4. Click **Add new** to add a new client 5. Enter Euno's service account client ID: `105907650580827198566` 6. In the **OAuth scopes** field, enter the following scopes (comma-separated): ``` https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly ``` 7. Click **Authorize** **Note**: * The admin user you configure in Step 2 must exist in your Google Workspace domain. This user will be impersonated by the service account to access the Admin SDK Directory API. ### Step 2: Configure the Integration in Euno 1. In Euno, navigate to **Sources** → **Add Integration** 2. Select **Google Workspace** from the list of available integrations 3. Fill in the configuration: * **Google Workspace Domain**: Your Google Workspace domain (e.g., `customer.com`) * **Admin User Email**: The email address of the Google Workspace admin user to impersonate for domain-wide delegation (e.g., `admin@customer.com`). This user must exist in your Google Workspace domain and must be authorized for domain-wide delegation. 4. Click **Save** to create the integration **Note**: The service account key is automatically configured by Euno and does not need to be provided in the configuration form. ### Step 3: Run the Crawler 1. After creating the integration, you can trigger a manual crawl by clicking **Run Now** on the integration page 2. The integration will automatically crawl on its configured schedule (default: every 2 hours) ## What Euno Discovers ### Users Euno observes all users from your Google Workspace organization. For each user, Euno captures: * Email address (used as the primary identifier) * Display name * Full raw user object from Google Workspace Admin SDK (stored in `google_workspace_raw_user_object` property) ### User Groups Euno observes all groups from your Google Workspace organization. For each group, Euno captures: * Group name * Group ID (native ID) * Creation timestamp * Group members (users and nested groups) * Full raw group object from Google Workspace Admin SDK (stored in `google_workspace_raw_group_object` property) ### Group Memberships Euno observes group memberships, including: * Direct user memberships * Nested group memberships (groups that are members of other groups) ## Configuration Options The Google Workspace integration has the following configuration options: | Option | Description | Required | | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------- | -------- | | `google_workspace_domain` | Your Google Workspace domain (e.g., `customer.com`) | Yes | | `google_workspace_admin_user` | The email address of the Google Workspace admin user to impersonate for domain-wide delegation (e.g., `admin@customer.com`) | Yes | ## Troubleshooting ### Authentication Errors If you encounter authentication errors (401/403): * Verify that domain-wide delegation is configured in Google Workspace Admin Console * Ensure the service account client ID is correctly entered in the Admin Console * Check that the OAuth scopes are exactly as specified (comma-separated, no spaces) * Verify that admin consent has been granted for the scopes * Wait a few minutes for changes to propagate (domain-wide delegation changes can take time to take effect) ### Missing Users or Groups If users or groups are not appearing in Euno: * Verify that the domain-wide delegation is properly configured * Check that the configured admin user exists in your Google Workspace domain * Ensure the admin user has sufficient permissions to read users and groups * Verify that the admin user email is correctly entered in the integration configuration * Review the integration run report for any errors or warnings ### Group Members Not Showing If group members are not being observed: * Verify that domain-wide delegation includes the group read scope * Check that groups have members assigned in Google Workspace * Review the integration logs for any API errors when fetching group members --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.euno.ai/sources/identity-and-organization/google-workspace-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.