Directories
Google Workspace
We support several features in Google Workspace, e.g. user management, group management etc. More interesting is that we can discover information like which applications are used by which user automatically for you.
Detecting Shadow IT:
Capabilities
Structure Sync
AccessOwl periodically syncs the roles/permissions schema of an application.
User Sync
AccessOwl periodically syncs a list of users along with their assigned roles/permissions.
Provisioning
AccessOwl creates or removes user accounts with the specified roles/permissions during access requests or revocations.
Directory Sync
AccessOwl syncs (creates, removes, or deactivates) users from directories like Slack, Microsoft365, Okta, or Google into the AccessOwl users database.
Required Google Workspace OAuth Permissions
AccessOwl integrates with your Google Workspace organization in order to automate user provisioning, de-provisioning and Shadow IT detection. In order to do so AccessOwl requires customers to confirm the following OAuth permissions. Provision and de-provisioning of users to Google Workspace, read out manager information (if available) and assign them the correct set of permissions and groups:View delegated admin roles for your domain
View delegated admin roles for your domain
View delegated admin roles that are currently defined for your domain.
View customer related information
View customer related information
View domains related information
View domains related information
View and manage Google Workspace licenses
View and manage Google Workspace licenses
View and manage Google Workspace/G Suite licenses.
View organization units on your domain
View organization units on your domain
View metadata (e.g., name and description) of organization units.
View and manage the provisioning of groups on your domain
View and manage the provisioning of groups on your domain
- Provision and delete groups on your domain.
- View and modify details (e.g., members) and metadata (e.g., login details) of groups on your domain.
View and manage the provisioning of users on your domain
View and manage the provisioning of users on your domain
- Provision and delete users on your domain.
- View and modify details (e.g., name, address, and phone number) and metadata (e.g., login details) of users on your domain.
View and manage user aliases on your domain
View and manage user aliases on your domain
View, modify, and delete aliases (alternative emails) for users on your domain.
Manage delegated admin roles for your domain
Manage delegated admin roles for your domain
View and manage delegated admin roles for your domain.
Manage data access permissions for users on your domain
Manage data access permissions for users on your domain
View and revoke OAuth grants for users.
View audit reports for your G Suite domain
View audit reports for your G Suite domain
View audit reports of admin and user activity in your G Suite domain (e.g. OAuth grants/revokes, SAML logins).
User & Group Management
Put a user in the right organizational unit (OU) by using the object “Assigned Organizational Unit” during an onboarding. You can give a user more roles in other OUs by selecting other objects. Furthermore, groups can be assigned including their role of Member, Manager or Owner.When a personal email address is available for the onboarding user, the initial password will be sent via email to them.
Application Discovery (Shadow IT Detection)
We analyze usage data in Google Workspace to analyze which applications are used in your organizations. The permissions are granted by an Google Workspace admin on AccessOwl setup. When new applications are used in your organization, Org Admins are notified. You can either approve or ignore these discovered applications before they become available for user requests.User Access Discovery
Based on emails, we can discover which user uses which application. We only use readonly scopes. We don’t read or download your email. Instead we query specifically for vendor emails. For more security related information, check our Security page.Integration Account Setup
The integration account is automatically created in your Google Workspace. To proceed, the following prerequisites must be met:- Gmail must be assigned and active -> invitation email need to be received
- 2-Step Verification need to be enabled in Google Workspace
- The user must be able to set up 2-Step Verification without admin intervention
Troubleshooting
2-Step Verification is not enabled
2-Step Verification is not enabled
Follow this guide to ensure that 2-Step Verification is enabled in your organization. Also, check that it’s active for the OU of the integration account.
Gmail is not assigned to the user
Gmail is not assigned to the user
Find out which apps are turned on for the OU of the integration account and ensure that Gmail is turned on.
Google Workspace license missing during User Onboarding
Google Workspace license missing during User Onboarding
If you run out of Google Workspace licenses, AccessOwl notifies your GWS admins and re-assigns the provisioning to them. Once a license is purchased and the user account is created in GWS, AccessOwl automatically detects it and resumes the onboarding flow—no need to cancel or re-run the entire request.