Skip to main content
All CollectionsConnectionsProvider
Google Workspace Connection for User Access Reviews (UAR)
Google Workspace Connection for User Access Reviews (UAR)
Updated over 2 months ago

Integrating Google Workspace with Drata automates your user access reviews, saving time and reducing errors by syncing user data directly from Google Workspace.

Prerequisites

  • Ensure you have admin privileges within Google Workspace to access the Google Admin console. These privileges can be assigned through two methods:

    • By Role

      • System Roles: These roles come with specific sets of privileges tailored to common administrative tasks.

      • Custom Roles: Created by the organization to fit its specific administrative needs. You can define which privileges are associated with each custom role.

    • By Group

      • Admin privileges can also be granted through membership in a group that has been granted a specific admin role. This allows for easier management of permissions across multiple users. Only security groups can be assigned to an admin role.

  • Note about Google API:

    • The Google API does not offer SCIM support to allow users to bring in connected apps (unlike Microsoft or Okta).

  • Note about managing accounts after connection:

    • After connecting the Google Workspace connection, you can view all the users that are in your Google Workspace within Drata. Refer to the Manage your Google accounts within Drata section within this page for more information.

    • Users who have access to the "Admin Console" will have their admin roles listed and within Drata, you can filter based on the Admin role on the left panel.

      • Those users who are designated as admins on specific Google applications but who do not have access to the Admin console will not show up as Admins within Drata.

Enable Google Workspace

  1. Select Connections on the side navigation menu.

  2. Select the Available connections tab, search for Google Workspace, and select Connect.

  3. Follow the instructions on the connection drawer.

    • Sign in to your Google Admin console at https://admin.google.com with an account that has super-admin privileges.

    • In Domain wide delegation, select the Manage Domain Wide Delegation button and then Add New button.

    • Copy and paste the Drata Autopilot clientId into the Google Client ID field.

      • Drata Autopilot clientId: 109259448122260279196

    • Copy and paste the Google Read Only Scope into the Google OAuth scopes (comma-delimited) field.

      • Google Read Only Scopes:

        • https://www.googleapis.com/auth/admin.directory.user.readonly

        • https://www.googleapis.com/auth/admin.directory.group.readonly

        • https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

    • Select the authorize button to save the form.

    • Now, you have successfully provisioned domain-wide delegation to Drata. Navigate to Drata and within the Google Workspace connection drawer, enter the email that has super-admin privileges to your Google Workspace.

Manage your Google accounts within Drata

  1. Navigate to Drata's Connections page.

  2. Ensure you are on the Active connections tab and search for your Google Workspace connection. Ensure it is the User Access Review connection type.

  3. Within the card, select the Manage Accounts button. You will be redirected to a page displaying a table of users retrieved from your Google Workspace.

  4. You can view and verify that the list of accounts displayed on the Manage Accounts page.

Disconnect Google Workspace

  1. Ensure you are on the Active connections tab and search and select your Google Workspace connection. Ensure it is the User Access Review connection type.

  2. On the Google drawer, select the trash button. A confirmation modal will appear to confirm your action.

    • Note: When you remove a connection, all of the data associated with that connection is removed, including user access review data.

Additional resources

Did this answer your question?