(formerly G Suite)
Trelica connects to Google Workspace using OAuth2. This is a common protocol which controls Authorization (controlling what Trelica is allowed to do with the Google Workspace APIs).
OAuth2 uses something called "Scopes" which lets Trelica ask for specific access rights.
When you connect Trelica and Google Workspace, you get asked by Google Workspace for permission to grant these scopes to Trelica.
Aligned with the principle of least privilege, Trelica requests the most limited set of scopes it can, for the functionality it needs. So, for users, Trelica asks for read-only access, as that's all Trelica needs for basic operations.
IT teams sometimes want to limit the usage of Super Admin roles. The alternative approach is to create a custom Google Workspace role.
If you do this then you will need to assign the following privileges
- Organization Units > Read
- Users > Read
- Groups > Read
- User Security Management
- Schema Management > Schema Read
- License Management > License Read
- Domain Management
Note that when you select Admin API privileges, Google Workspace automatically assigns corresponding Admin Console privileges.
For Provisioning and Deprovisioning you must enable the following:
- Users (all)
- Groups > Create
- Groups > Update
- Data Transfer
There are a number of limitations imposed by Google if you use a non super-admin role.
- Trelica cannot see apps that other Administrator users have connected to with OAuth2 (i.e. 'Sign in with Google').
- No Google Workspace license data will be available in Trelica.
These limitations are both due to the way Google's API works.
In Google Workspace, OAuth2 scopes generally exist in pairs - one for read access, and one for read/write access, e.g.
One of these scopes is called auth/admin.directory.user.security.
This scope is used so that Trelica can get list of OAuth2 tokens for users, which lets Trelica see where users have used OpenID Connect (commonly known as "Sign in with Google", or "social logins") to connect to other applications and websites.
Unfortunately, this particular scope does not exist with a "read-only" version. It allows "access to all application-specific password, OAuth token, and verification code operations" (https://developers.google.com/admin-sdk/directory/v1/guides/authorizing).
The exception to this rule is if the user account that connects to Trelica is part of the super admin role.
License data can only be retrieved if you connect as a Google Workspace super admin user: the License Management > License Read role privilege that you can grant only works in the Admin console and not via API access, unless you are a super admin.
When you deprovision a Google user through Trelica, we automatically:
- 1.Sign the user out from Google
- 2.Revoke any 2FA verification codes
- 3.Remove the user from the global address list
- 4.Clear the recovery email and recovery phone fields for the user
- 5.Reset the user's password to a random string
- 6.Suspend the user
- 7.Remove the user from all groups
- 8.Revoke all OAuth tokens
- 9.Revoke any application-specific passwords
- 10.Remove all email aliases
Optionally you can choose to:
- Assign the user to a different Org Unit
- Transfer files and calendar entries to the person's line manager, or a nominated Google account
- A transfer folder is created in the new owner’s My Drive with the following contents:
If no files change ownership, no transfer folder is created.
- Transferred folders and files that were in the previous owner’s My Drive.
- Transferred Computers folders if the previous owner used a Drive sync client (for example, Drive for Desktop).
- Shortcuts to the previous owner’s files whose parent folders are not shared with the new owner.
- If a file was in someone else’s My Drive but owned by the previous owner, and that file was in a folder that's shared with the new owner, ownership transfers, but the file remains in the existing folder. The file isn't in the transfer folder and no shortcut is created. Sometimes, a separate empty transfer folder is also created.
- Even if the previous owner's account no longer exists, you can find a file's ownership history in the file's version history or, for recent ownership changes, the Drive log event
This means that your Google Workspace administrator has blocked OAuth apps requesting consent. A Google Workspace super admin can either connect to Trelica or they must alter app access settings to allow Trelica to connect.
To do this go to Security > Access and data control > API controls in the Google Workspace Admin console.
- Ensure that Block all third-party API access is unchecked.
- Click Manage third-party app access.
- Under Configured apps, add a filter for ID
- Make sure Access is set to Trusted
The person type is determined by the following logic:
- 1.If the Google "Type of employee" field is set then it is mapped as follows:
- Employee, Full-time, or Fulltime => Employee
- Contractor => Contractor
- Consultant, Vendor or External => External
- ServiceAccount, Service Account => Service Account
- 2.If the Employee Type is not set, then if any of the following fields have a value, the person is marked as an Employee:
- Employee ID
- Manager's email
- Cost center
By default Trelica pulls the following employee information from Google Workspace:
- Employee ID
- Job title
- Type of employee
- Manager's email
- Cost center
- Building ID
Trelica also extracts the Google groups that each user is a member of.