We support several features in Google Workspace, e.g. user management, group management etc. More interesting is that we can discover information like which applications are used by which user automatically for you.

Capabilities

Structure Sync

AccessOwl periodically syncs the roles/permissions schema of an application.

User Sync

AccessOwl periodically syncs a list of users along with their assigned roles/permissions.

Provisioning

AccessOwl creates or removes user accounts with the specified roles/permissions during access requests or revocations.

Directory Sync

AccessOwl syncs (creates, removes, or deactivates) users from directories like Slack, Microsoft365, Okta, or Google into the AccessOwl users database.

Required Google Workspace OAuth Permissions

AccessOwl integrates with your Google Workspace organization in order to automate user provisioning, de-provisioning and Shadow IT detection. In order to do so AccessOwl requires customers to confirm the following OAuth permissions.

Provision and de-provisioning of users to Google Workspace, read out manager information (if available) and assign them the correct set of permissions and groups:

Detecting Shadow IT:

User & Group Management

Put a user in the right organizational unit (OU) by using the object “Assigned Organizational Unit” during an onboarding. You can give a user more roles in other OUs by selecting other objects. Furthermore, groups can be assigned including their role of Member, Manager or Owner.

When a personal email address is available for the onboarding user, the initial password will be sent via email to them.

Application Discovery (Shadow IT Detection)

We analyze usage data in Google Workspace to analyze which applications are used in your organizations. The permissions are granted by an Google Workspace admin on AccessOwl setup. When new applications are used in your organization, Org Admins are notified. You can either approve or ignore these discovered applications before they become available for user requests.

User Access Discovery

Based on emails, we can discover which user uses which application. We only use readonly scopes. We don’t read or download your email. Instead we query specifically for vendor emails.

For more security related information, check our Security page.

Integration Account Setup

The integration account is automatically created in your Google Workspace. To proceed, the following prerequisites must be met:

  • Gmail must be assigned and active -> invitation email need to be received
  • 2-Step Verification need to be enabled in Google Workspace
  • The user must be able to set up 2-Step Verification without admin intervention

Troubleshooting

Was this page helpful?