Google Directory provides detailed records of activities within the Google Workspace Directory, including user account management, group assignments, and changes to directory objects. For more information check the official documentation.

Integration Method: API

Tables: Entity Management (3004), Device Inventory Info (5001), User inventory Info (5003)

This integration supports the following events.

This integration supports the following versions.

Note:

Google Cloud Platform doesn’t follow a traditional versioning system. Instead, it is a continuously updates the cloud service. As of this document preparation, latest release was on March 11, 2025.

Prerequisites

• The user should have access to the Google Cloud Portal with an account that has Administrator privileges.

• The user should have a service account that can be used for Google OAuth2 authentication.

• The user should have access to the DataBee console.

Configuration Overview

1. Generate a service account with the required scopes and its private key.

2. Add the Google Directory in the DataBee console with the below parameters.

   DataBee Parameter	Google Cloud Parameter
   Client Email	Service account email id.
   Admin Email	Domain super admin email id.
   Private Key	Private key

Google Directory Configuration

1. Navigate to Google Cloud, and log into the Google account, on your console click on your organization name in Navigation bar.
    

2. On Select a resource window click on New Project.

   
   

3. On “New Project” window, enter your project name and click on Create.
    

4. Navigate to Google Cloud. Click on the menu button on top left side.
    

5. Navigate to APIs and services > Enabled APIs & services.
    

6. Click on the search bar.
    

7. Search Admin SDK API and then Select Admin SDK API.
    

8. In Admin SDK API, click on the ENABLE button to enable the Admin SDK API.
    

9. Navigate to IAM & Admin > Service account.
    

10. In Service account, select CREATE SERVICE ACCOUNT.
     

11. In Create service account, name your service account and select CREATE AND CONTINUE and then click on DONE.
     

12. In Service accounts, navigate to your new service account name, and select your new service account name.
     

13. In the Service account details page for your new service account, perform the following steps:

    1. Navigate to the KEYS tab and click on ADD KEY.
        

    2. Select Create new key.
        

    3. Select the JSON key type then, click on CREATE.
        

    4. Save the key type as JSON file to your selected directory. Below is the sample private key. Copy and save the credentials from this file.
        

       Note:

       Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

14. Navigate to admin.google.com navigate to Security > Access and data control > API controls.
     

15. In API Controls, navigate to Domain wide delegation, and select Manage Domain Wide Delegation.
     

16. In Manage Domain Wide Delegation, select Add new to add a new client ID.
     

17. In the Add a new client ID window, perform the following steps:

    1. In the ‘Client ID’ field, paste the Client ID that is present under client_id key of the private key file of the service account.

    2. In the ‘OAuth scopes’ (comma-delimited) field, add the following read-only scopes to fetch users, deleted users, roles, and mobile devices data:

       1. User Read Only

       2. Mobile Read Only

       3. Role Management Read Only

           

    3. Select Authorize.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Google Directory and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.

   

5. In the configuration page, confirm the following:

   • Authorization Method: Google OAuth2

   • Client Email: enter the client_email got from the private key file of the service account created earlier.

   • Admin Email: enter the Email of the super admin user.

   • Private Key: get the private_key got from the private key file of the service account created earlier.

     • Copy the text between -----BEGIN PRIVATE KEY-----\n and \n-----END PRIVATE KEY----- and paste it in Private Key field.
       e.g. if private key is “-----BEGIN PRIVATE KEY-----\n1234567890\n-----END PRIVATE KEY-----” copy 1234567890 only.

   • Event Types: preselected for all the event types that integration pulls.
      

     Note:

     A "super admin" refers to a user with the highest level of access, able to manage all aspects of your organization's Google Workspace and Cloud Identity account, including user accounts, services, and security settings.

6. Click Submit.

Troubleshooting Tips

• Ensure the Client Email, Admin Email and Private Keys are pasted correctly. Since you cannot get the private key file after the 1^st time, re-create the key, download it on the safe location and reconfigure the DataBee feed

• Ensure the Google Directory’s scopes are correct.