Documentation

Google Groups

Connect your Google Groups organization to Opal to manage and review access.

Suggest Edits

Want to set up Opal to manage access to Google Groups? We have you covered.

Opal's integration with Google Groups supports the following, and more:

  • Users can request time-bounded access to your Google groups.
  • Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to Google groups.
  • Admins can add resources from other Opal integrations to an Google group so an Google group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
  • All access changes are tracked in a permanent audit log that can be logged to a Slack channel or exported to your favorite tools.

Getting Started

Create a Google Groups app

To get started, go to the Catalog page, and click + App. Then, click on the Google Groups tile.

2312

You will see a form to be completed. Opal requires the following credentials in order to manage your Google Groups.

Step 1 - Configure a service account for Opal

In order for Opal to manage your Google Groups on your behalf, you'll need to create a Google service account with proper permission scopes.

First, create a service account with a private key authorizing access as follows:

  • Open the Service accounts page. If prompted, select a project.
  • Click "+ Create Service Account" at the top of the page.
    • Step 1: Enter a name and description for the service account. When done click Create.
    • Step 2: Skip the Grant this service account access to project section by clicking Continue.
    • Step 3: Skip the Grant users access to this service account by clicking Done.
  • Click into your newly-created service account, and go to the Keys tab.
  • Click the Add key drop-down menu, then select Create new key.
  • Select JSON as the Key type and click Create. Your new public/private key pair is generated and downloaded to your machine. You can now click Close on the open dialog.

Next, enable G Suite domain-wide delegation as follows:

  • Click into your newly-created service account, and go to the Details tab.
  • Click open the Advanced Settings section, look under Domain-wide Delegation, and follow the instructions for setting up domain-wide delegation for your service account. You can alternatively follow these instructions below:
    • From your Google Workspace domain's Admin console, go to Main menu > Security > API controls.
    • In the Domain wide delegation pane, select Manage Domain Wide Delegation.
    • Click Add new.
    • In the Client ID field, enter the client ID under your service account's Details tab > Unique ID.
    • In the OAuth Scopes field, enter the following scopes:
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.rolemanagement, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly

Your service account now has domain-wide access to the Google Admin Directory API for all the users of your domain with admin access.

Step 2 - Fill out Opal form

Back in the Apps form, fill in details about your Google Groups service account:

  • For Opal group email, you should enter the email of the Google group created above.
  • For Google Workspace admin email, you should enter the email of someone in your organization with admin privileges.
  • For domain, you can optionally enter the domain of the Google Workspace. If your Google Workspace has multiple domains, Google Groups will only import Google Groups associated with the domain you enter. By default, if this is not filled out, it is the domain of the Google Workspace admin email.
    Then, click to upload the downloaded JSON file for the created service account.

If this step is successful, you've completed setting up the Google Groups app.

Step 3 - Import Google groups into Opal

There are 2 ways to import your Google groups into Opal.

Technical note: Opal does not currently support syncing entire Organizational Units (OUs) or OU sub trees.

Manual import

You can use the Opal UI to manually select which Google Groups to import into Opal. To do this, click on the "..." -> "Import Items" and then select your groups.

2312 2312

This will query Google Groups to list all groups in your account. From here, you can select which Google Groups you'd like to import into Opal.

Automatic import

You can configure your Google Groups to be auto-imported into Opal each time the Google Groups app is synced.

To automatically import your groups from Google Groups:

  • In Google Groups, create a Google group called Opal. Any groups that you add as members of this group will automatically be imported into Opal.
  • In Opal, navigate to Catalog > Google Groups App
  • Click the Edit button on the top right, then under Import Settings, toggle the setting to Auto-import tagged.

2312

Updated 3 months ago

What’s Next