Overview Google Connector
Google Workspace is the new name for G-Suite. Currently it does not include Google Cloud Platform access management.
The IDHub Google connector manages accounts, groups, and roles across all available domains within Google Workspace for Business, Education, or ISP, provided the service account configured in the application has sufficient access to those domains. Our Google connector also manages all G-Drive files of Logged In user.
Our Google connector:
- Is enhanced to manage all of its G-Drive components which includes G-Sheet, G-Docs, G-Slides and much more.
- Manages accounts and groups from Workspace
- Uses Exponential Back-off strategy suggested by Google for reconciliation
- Has Multi-Account management and support
For more information about the Connector Health and it's status, Click here
Architecture
The connector's architecture is constructed in accordance with the diagram below: The connector architecture primarily consists of a connector application, google workspace SDK controller and a target system component. The native communication with the target system is handled by the target system by leveraging the implementation of the Google Specific connection. This architecture is implemented because it allows for rapid and straightforward connector deployment as well as precise versioning capabilities.
Features
Account Management
- Manage Google Workspace Users as Accounts
- Provision, Modify and Delete Accounts
- Reconciliation Accounts
- Add or Remove Entitlements
- Enable and Disable
Group Management
- Manage Google Workspace Groups as Entitlement
- Reconcile Groups
Drive Management
- Manage G-Drives and included components like G-Slides, G-Docs, G-Sheet etc as Entitlement
- Reconcile G-Drive and its components
Authentication Features
- OAuth 2.0 Authentications
- Multi-factor Authentication(MFA) Management
- Single Sign On (SSO) Management
Reconciliation Features
Server Features
- Role Management
- Manage Google Workspace Roles as Entitlement
- Reconcile Roles
- Move Users to Other Organizational Unit
- Google Cloud Platform based provisioning and reconciliation to be included in this connector.
- Includes GCP Domain, Accounts, Project, Folder, Role, Resource Permission Management.
Account Management
Google Workspace connector manages Accounts from all Organizational Units. Below are the supported features:
| Operations | Supported |
|---|---|
| Manage Accounts as Users | Yes |
| Create Account (Provision Users) | Yes |
| Update Account (Modify Users) | Yes |
| Delete Account (Remove Users) | Yes |
| Enable/Disable User | Yes |
| Add Workspace Entitlement (Group, Role etc) | Yes |
| Add Drive Entitlement (Drive, Sheet, Docs, Form etc.) | Yes |
| Move User to another OUs | No |
| Reconcile Users | Yes |
This does not include Google Cloud Platform’s service accounts and domains.
Group Management
Google allows fetching and managing all groups within the Google Workspace. Below features are performed by IDHub
- Fetch Google Groups
- Add Accounts to Groups
- Remove Accounts from Groups
- Remove Groups from Workspace
- Reconcile Account-Group Access
IDHub Google Workspace connector would allow fetching and managing all roles within the Google Workspace. Below features are performed by IDHub
- Fetch Google Roles
- Add Accounts to Roles
- Remove Accounts from Roles
- Remove Roles from Workspace
- Reconcile Account-Roles Access
For the upcoming features the scope needs to be updated. We will provide the updated scopes for the future scope items, once they are added in the future release version of the connector. The current scope can be found here
Drive Management
This feature is unique to IDHub as our Google connector manages all drives related access management. For G-Drive, G-Sheet, G-Docs and Other Google components, below features are supported
| Operations | Supported |
|---|---|
| Add/Remove View | Yes |
| Add/Remove Commenter | Yes |
| Add/Remove Contributor | Yes |
| Add/Remove Content Manager | Yes |
| Add/Remove Manager | Yes |
Authentication Features
IDHub uses Keycloak to use its Authentication features. SAML based Single Sign-On and MFA Setup can be done with your Google instance outside of Connector features.
Reconciliation
Connector has a robust reconciliation feature using Exponential Back-off strategy. Some of the reconciliation features are as follows:
Account Reconciliation: This can be performed to bring all existing user data from the target system to IDHub. If the target system has an attribute that stores the timestamp at which an item is created or modified, IDHub performs incremental reconciliation once the first reconciliation operation has been completed to get account information to IDHub more efficiently.
Entitlement Reconciliation: Entitlements like Google Drive, Groups, Slides, Docs etc can be reconciled on demand as well. It will update all associated user accounts for each entitlement as well as entitlement metadata when reconciled (synced)
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.. The Reconciliation task can be used to fetch details of deleted target system users. This information is used to revoke the corresponding Google Apps resources from IDHub. You can configure transformation and validation of account data that is brought into or sent from IDHub during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
Server
Connector Server is one of the features provided by IDHub. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles. Therefore if you do not want to execute IDHub java connector bundle in the same VM as the application, in that case you have the ability to run the connector on a different host for better performance.
Connection Pooling A connection pool is a cache of objects that represent physical connections to the target. IDHub connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.
One connection pool is created for each set basic configuration parameters that you provide while creating an application. For example, if you have three applications for three installations of the target system, then three connection pools will be created, one for each target system installation.
Multiple Domain Support
The connector supports reconciliation and provisioning operations in multiple domains. By default, this connector supports reconciliation and provisioning operations within a single domain. However, you can configure the connector for performing connector operations in more than one domain by specifying a value for the supportMultipleDomain parameter in Advanced Settings.