Configuration
- Go to Inventory and select + App to add the Google Workspace App.
- For Opal to manage your Google Workspace on your behalf, you’ll need to create a Google service account with proper permission scopes to retrieve role and user information. Grant the service account the following scopes:
admin.directory.user scope is used to import and manage users, and the admin.directory.rolemanagement scope is used to import and manage roles.
If you only want to view user’s access and not grant/revoke their access, you can use the admin.directory.user.readonly and admin.directory.rolemanagement.readonly scopes instead.
- Enable the Admin SDK API in the project that the service account was created in.
In Google, role assignment
privileges
are only available to super administrator role. Opal needs the Google
Workspace admin email to be a super administrator in order to import admin
roles.
- Return to Opal to finish the app creation form. Google Workspace admin email should be a user with the Super Admin Role in order for the service account to read role assignments. You can find super admins in the admin console under Admin Roles > Super Admin. This email is not your service account email. Use this same account for the Google Workspace customer ID field.
Run app validation checks
After you save your app, you can view existing sync issues from the Setup tab on the app detail page. Missing permissions and sync issues show in the App Validations section. Select the refresh icon to rerun validation checks.