Last updated: 2022-07-28

Source: https://support.freshservice.com/support/solutions/articles/50000003307-installation-guide-for-gsuite-app-orchestration-saas-

Overview

Perform operations on G Suite users, groups, and roles and track all OAuth apps in Freshservice.

Description

The GSuite application lets you automate repeatable actions within Freshservice and also helps you track accurate usage information for SaaS Management.  The list of actions supported for this app include:

User Management

1. Get User

2. Create User

3. Update User

4. Delete User

5. Undelete User

6. Make User Super Admin

7. Reset Password

8. Get Schema

Role Management

1. Assign a Role To User

2. Get Role Assignment

3. Delete Role Assignment

Group Management

01. Get Group Details

02. Create Group

03. Update Group

04. Delete Group

05. Get Group Member

06. Assign Member to Group

07. Update group member

08. Delete group member

09. Check Group Member

10. Assign Member to Multiple Groups

11. Remove Member From All Groups

12. Update Group Settings

ASP Management

1. Delete All App-Specific Password

Mobile Device Management

1. Delete Mobile Devices Of A User

Calendar Access Control Management

1. Create Access Control Rule

2. Delete Access Control Rule

3. Delete All Future Calendar Events

Drive Permission Management

1. Transfer Ownership Of All Files

Mail Management

                      1\.  Create Delegate

                      2\.  Delete Delegate

                      3\. Enable Auto Reply

                      4\. Update Mail Auto Forwarding

                      5\. Create Forwarding Address

Data Transfer

     1\. Transfer user data

Device Management

      1\. Wipe User Device

Orchestration

Orchestration apps give you the ability to automate several repeatable actions that span across a diverse set of systems by performing specific actions with Freshservice Workflows. With the GSuite app you can perform actions for:

  • User Management
  • Group Management
  • Role Management

    • Saas Management

    Freshservice’s direct integrations for SaaS management enable accurate and reliable user and usage data discovery. Integrate with GSuite to gain visibility into:

  • The plan, consumption, and usage data of GSuite products.
  • Discover and track the apps that employees authenticate using Gsuite.

    • This integration requires the SaaS Management Add-on. More details can be found here.

    To use this integration for SaaS Management,

  • Enable the SaaS Discovery toggle and provide the Freshservice Domain Name & the Agent API Key.

    • Note: To know more about what SaaS Discovery is, click here.

  • Click Verify.
  • Once the verification is successful, Click Add and complete the installation by clicking on Install.

    • Note: The first sync might take a couple of hours depending on your data load.

    Prerequisites

    To install and authenticate the app you need to provide the following input:

    1. Config Name

    2. Private Key

    3. Private Key Id

    4. Client Email

    5. Email (The Gsuite account email address)

    Step 1: Create a Service Account

    Set up a Service Account project in the Google API Console.

    1. Create a new project (or select an existing one)

    2. Click on Create service account.

    3. Under Service account details, type a name, ID, and description for the service account, then click Create.

    4. Under Service account permissions, select the IAM roles as 'Project Owner' to grant to the service account, then click Continue.

    5. Optional: Under Grant users access to this service account, add the users or groups that are allowed to use and manage the service account.

    6. After the service account is created, open the service account, click on "Edit" then click "Add Key" under "Keys", then click "Create New Key".

    7. Make sure the key type is set to JSON and click Create.

    8. Click Close > Save.

    9. Save the downloaded JSON key.

    Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of the private key. You are responsible for storing it securely. If you lose this key pair, you will need to generate a new one.

    Note: The Client Email, Private Key and Private Key Id used as app installation inputs are obtained from the Service account JSON file downloaded. So one needs to copy these parameters from the downloaded JSON file and give the app input as shown below.

    10. Then go inside the Service account created and click on "Show Domain-Wide Delegation" and then tick "Enable G Suite Domain-wide Delegation" and then Save.

    Step 2: Enable Admin SDK API

    1. Open your project in the API Console. Click on ENABLE APIS AND SERVICES

    2. In the list of APIs, search and click Admin SDK API.

    3. Click on ENABLE to enable Admin SDK API

    Note: Repeat the above instructions  to enable Google Drive API, Google Calendar API, Group Settings API, Cloud Identity API, and Gmail API.

    Step 3: Assign OAUTH Scopes for Admin SDK API

    1. Go to Admin consol e. From the Admin console,  go to Home > Security > API controls.

    2. Under Domain-wide delegation, click Manage Domain Wide Delegation.

    3. On the Manage domain-wide delegation page, click Add new.

    4. Enter the client ID of the service account or OAuth2 client ID of the app.

    5. Under the OAuth Scope, add each scope that the application can access.

    6. Click Authorize

    *If you want to enable SaaS management for this app, the following OAuth scopes should be included:*

    1\. https://www.googleapis.com/auth/admin.reports.audit.readonly

    2\. https://www.googleapis.com/auth/admin.reports.usage.readonly

    3\. https://www.googleapis.com/auth/admin.directory.user.security

    4\. https://www.googleapis.com/auth/admin.directory.user.readonly

    5\. https://www.googleapis.com/auth/admin.directory.user

    If you want to enable _only_ Orchestration capabilities for this app, the following OAuth scopes should be included

    1\. https://www.googleapis.com/auth/admin.directory.group

    2\. https://www.googleapis.com/auth/admin.directory.group.member

    3\. https://www.googleapis.com/auth/admin.directory.group.readonly

    4\. https://www.googleapis.com/auth/admin.directory.user

    5\. https://www.googleapis.com/auth/admin.directory.user.readonly

    6\. https://www.googleapis.com/auth/admin.directory.user.security

    7\. https://www.googleapis.com/auth/admin.directory.group.member.readonly

    8\. https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

    9\. https://www.googleapis.com/auth/admin.directory.rolemanagement

    10\. https://www.googleapis.com/auth/apps.groups.settings

    11. https://www.googleapis.com/auth/admin.directory.device.mobile

    12\. https://www.googleapis.com/auth/calendar

    13\. https://www.googleapis.com/auth/drive

    14\. https://www.googleapis.com/auth/drive.file

    15\. https://www.googleapis.com/auth/gmail.settings.sharing

    16\. https://www.googleapis.com/auth/gmail.settings.basic

    17\. https://www.googleapis.com/auth/cloud-identity.devices

    18\. https://www.googleapis.com/auth/admin.datatransfer

    Step 4: Enter the details as follows in the GSuite Integration Page:

    1. Private Key, Private Key ID, and Client email information can be fetched from the previously downloaded file. _Ensure that the complete key is copied onto the Freshservice console including:_ _"-----BEGIN PRIVATE KEY-----", "\\n-----END PRIVATE KEY-----\\n" and all line breaks "\\n"._ 2. Domain information is the name of the domain for which you would like to enable SaaS discovery. _Ensure that you add the domain without "www"._ 3. Email is the admin email address of the service account. 4. Label is a reference ID for the integration. (Ex: G suite discovery)

    *Usecases*

    Now that you've successfully installed the GSuite orchestration app, please have a look at the sample use case below to show how the app can be used efficiently.

  • Sample Use Case for Gsuite Orchestration App- Employee Onboarding