Google Workspace

Overview

Euno integrates with Google Workspace to observe users and groups from your identity and access management system. This integration enables you to track user accounts, groups, and group memberships in your data model, providing visibility into organizational structure and access patterns.

Euno's Google Workspace integration supports auto-discovery of the following resources:

Users (user)
User groups (user_group)

Requirements

To ingest metadata from Google Workspace, you will need:

A Google Workspace organization account
Domain-wide delegation configured for Euno's service account
The service account's client ID must be authorized in Google Workspace Admin Console with the following OAuth scopes:
- https://www.googleapis.com/auth/admin.directory.user.readonly - Read user information
- https://www.googleapis.com/auth/admin.directory.group.readonly - Read group information

Setup Instructions

Step 1: Configure Domain-Wide Delegation in Google Workspace

Sign in to your Google Admin Console
Navigate to Security → Access and data control → API Controls
Under Domain-wide delegation, click Manage Domain Wide Delegation
Click Add new to add a new client
Enter Euno's service account client ID (provided by Euno support)

In the OAuth scopes field, enter the following scopes (comma-separated):

https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly

Click Authorize

Note:

The service account client ID is a numeric ID (not the email address). Euno support will provide this client ID during setup.
The admin user you configure in Step 2 must exist in your Google Workspace domain. This user will be impersonated by the service account to access the Admin SDK Directory API.

Step 2: Configure the Integration in Euno

In Euno, navigate to Sources → Add Integration
Select Google Workspace from the list of available integrations
Fill in the configuration:
- Google Workspace Domain: Your Google Workspace domain (e.g., customer.com)
- Admin User Email: The email address of the Google Workspace admin user to impersonate for domain-wide delegation (e.g., [email protected]). This user must exist in your Google Workspace domain and must be authorized for domain-wide delegation.
Click Save to create the integration

Note: The service account key is automatically configured by Euno and does not need to be provided in the configuration form.

Step 3: Run the Crawler

After creating the integration, you can trigger a manual crawl by clicking Run Now on the integration page
The integration will automatically crawl on its configured schedule (default: every 2 hours)

What Euno Discovers

Users

Euno observes all users from your Google Workspace organization. For each user, Euno captures:

Email address (used as the primary identifier)
Display name
Full raw user object from Google Workspace Admin SDK (stored in google_workspace_raw_user_object property)

User Groups

Euno observes all groups from your Google Workspace organization. For each group, Euno captures:

Group name
Group ID (native ID)
Creation timestamp
Group members (users and nested groups)
Full raw group object from Google Workspace Admin SDK (stored in google_workspace_raw_group_object property)

Group Memberships

Euno observes group memberships, including:

Direct user memberships
Nested group memberships (groups that are members of other groups)

Configuration Options

The Google Workspace integration has the following configuration options:

Option

Description

Required

google_workspace_domain

Your Google Workspace domain (e.g., customer.com)

Yes

google_workspace_admin_user

The email address of the Google Workspace admin user to impersonate for domain-wide delegation (e.g., [email protected])

Yes

Troubleshooting

Authentication Errors

If you encounter authentication errors (401/403):

Verify that domain-wide delegation is configured in Google Workspace Admin Console
Ensure the service account client ID is correctly entered in the Admin Console
Check that the OAuth scopes are exactly as specified (comma-separated, no spaces)
Verify that admin consent has been granted for the scopes
Wait a few minutes for changes to propagate (domain-wide delegation changes can take time to take effect)

Missing Users or Groups

If users or groups are not appearing in Euno:

Verify that the domain-wide delegation is properly configured
Check that the configured admin user exists in your Google Workspace domain
Ensure the admin user has sufficient permissions to read users and groups
Verify that the admin user email is correctly entered in the integration configuration
Review the integration run report for any errors or warnings

Group Members Not Showing

If group members are not being observed:

Verify that domain-wide delegation includes the group read scope
Check that groups have members assigned in Google Workspace
Review the integration logs for any API errors when fetching group members

Feature Flag

The Google Workspace integration is currently behind a feature flag (showGoogleWorkspaceIntegration). Contact your Euno administrator to enable this integration if it's not visible in your instance.

PreviousOkta Integration Discovered Resources NextGoogle Workspace Integration Discovered Resources

Last updated 2 days ago

hashtagOverview

hashtagRequirements

hashtagSetup Instructions

hashtagStep 1: Configure Domain-Wide Delegation in Google Workspace

hashtagStep 2: Configure the Integration in Euno

hashtagStep 3: Run the Crawler

hashtagWhat Euno Discovers

hashtagUsers

hashtagUser Groups

hashtagGroup Memberships

hashtagConfiguration Options

hashtagTroubleshooting

hashtagAuthentication Errors

hashtagMissing Users or Groups

hashtagGroup Members Not Showing

hashtagFeature Flag