Overview

Perform operations on G Suite users, groups, and roles and track all OAuth apps in Freshservice. 


Description

The GSuite application lets you automate repeatable actions within Freshservice and also helps you track accurate usage information for SaaS Management.  The list of actions supported for this app include:


User Management

  1. Get User

  2. Create User

  3. Update User

  4. Delete User

  5. Undelete User

  6. Make User Super Admin

  7. Reset Password

  8. Get Schema


Role Management

  1. Assign a Role To User

  2. Get Role Assignment

  3. Delete Role Assignment


           Group Management

  1. Get Group Details

  2. Create Group

  3. Update Group

  4. Delete Group

  5. Get Group Member

  6. Assign Member to Group

  7. Update group member

  8. Delete group member

  9. Check Group Member

  10. Assign Member to Multiple Groups

  11. Remove Member From All Groups

  12. Update Group Settings



ASP Management

  1. Delete All App-Specific Password


             Mobile Device Management

  1. Delete Mobile Devices Of A User

    

             Calendar Access Control Management

  1. Create Access Control Rule

  2. Delete Access Control Rule

  3. Delete All Future Calendar Events


             Drive Permission Management

  1. Transfer Ownership Of All Files


             Mail Management

                      1.  Create Delegate

                      2.  Delete Delegate

                      3. Enable Auto Reply

                      4. Update Mail Auto Forwarding

                      5. Create Forwarding Address 


          Data Transfer

                     1. Transfer user data 


          Device Management

                     1. Wipe User Device 


Orchestration

Orchestration apps give you the ability to automate several repeatable actions that span across a diverse set of systems by performing specific actions with Freshservice Workflows. With the GSuite app you can perform actions for:

  • User Management

  • Group Management

  • Role Management



Saas Management

Freshservice’s direct integrations for SaaS management enable accurate and reliable user and usage data discovery. Integrate with GSuite to gain visibility into:

  • The plan, consumption, and usage data of GSuite products. 

  • Discover and track the apps that employees authenticate using Gsuite.

This integration requires the SaaS Management Add-on. More details can be found here.

To use this integration for SaaS Management, 

  • Enable the SaaS Discovery toggle and provide the Freshservice Domain Name & the Agent API Key.
    Note: To know more about what SaaS Discovery is, click here.
  • Click Verify
  • Once the verification is successful, Click Add and complete the installation by clicking on Install. 
    Note:     The first sync might take a couple of hours depending on your data load.



Prerequisites

To install and authenticate the app you need to provide the following input: 

  1. Config Name 

  2. Private Key

  3. Private Key Id

  4. Client Email

  5. Email (The Gsuite account email address) 


Step 1: Create a Service Account

Set up a Service Account project in the Google API Console.

  1. Create a new project (or select an existing one)


  1. Click on Create service account.

  1. Under Service account details, type a name, ID, and description for the service account, then click Create.

  1. Under Service account permissions, select the IAM roles as 'Project Owner' to grant to the service account, then click Continue.

  1. Optional: Under Grant users access to this service account, add the users or groups that are allowed to use and manage the service account.

  1. After the service account is created, open the service account, click on "Edit" then click "Add Key" under "Keys", then click "Create New Key".

  1. Make sure the key type is set to JSON and click Create.

  1. Click Close > Save.

  1. Save the downloaded JSON key.

Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of the private key. You are responsible for storing it securely. If you lose this key pair, you will need to generate a new one.

Note: The Client EmailPrivate Key and Private Key Id used as app installation inputs are obtained from the Service account JSON file downloaded. So one needs to copy these parameters from the downloaded JSON file and give the app input as shown below.

  1. Then go inside the Service account created and click on "Show Domain-Wide Delegation" and then tick "Enable G Suite Domain-wide Delegation" and then Save. 

Step 2: Enable Admin SDK API

  1. Open your project in the API Console. Click on ENABLE APIS AND SERVICES

  1. In the list of APIs, search and click Admin SDK API.

  1. Click on ENABLE to enable Admin SDK API


      

 Note: Repeat the above instructions  to enable Google Drive API, Google Calendar API, Group Settings API, Cloud Identity API, and Gmail API.


Step 3: Assign OAUTH Scopes for Admin SDK API

  1. Go to Admin console. From the Admin console,  go to Home > Security > API controls.


  1. Under Domain-wide delegation, click Manage Domain Wide Delegation.


  1. On the Manage domain-wide delegation page, click Add new.


  1. Enter the client ID of the service account or OAuth2 client ID of the app.

  2. Under the OAuth Scope, add each scope that the application can access.

  3. Click Authorize




If you want to enable SaaS management for this app, the following OAuth scopes should be included:

1. https://www.googleapis.com/auth/admin.reports.audit.readonly

2. https://www.googleapis.com/auth/admin.reports.usage.readonly

3. https://www.googleapis.com/auth/admin.directory.user.security

4. https://www.googleapis.com/auth/admin.directory.user.readonly

5. https://www.googleapis.com/auth/admin.directory.user


If you want to enable only Orchestration capabilities for this app, the following OAuth scopes should be included

1. https://www.googleapis.com/auth/admin.directory.group

2. https://www.googleapis.com/auth/admin.directory.group.member

3. https://www.googleapis.com/auth/admin.directory.group.readonly

4. https://www.googleapis.com/auth/admin.directory.user

5. https://www.googleapis.com/auth/admin.directory.user.readonly

6. https://www.googleapis.com/auth/admin.directory.user.security

7. https://www.googleapis.com/auth/admin.directory.group.member.readonly

8. https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

9. https://www.googleapis.com/auth/admin.directory.rolemanagement

10. https://www.googleapis.com/auth/apps.groups.settings

11. https://www.googleapis.com/auth/admin.directory.device.mobile

12. https://www.googleapis.com/auth/calendar

13. https://www.googleapis.com/auth/drive

14. https://www.googleapis.com/auth/drive.file

15. https://www.googleapis.com/auth/gmail.settings.sharing

16. https://www.googleapis.com/auth/gmail.settings.basic

17. https://www.googleapis.com/auth/cloud-identity.devices

18. https://www.googleapis.com/auth/admin.datatransfer



Step 4: Enter the details as follows in the GSuite Integration Page:

  1. Private Key, Private Key ID, and Client email information can be fetched from the previously downloaded file. Ensure that the complete key is copied onto the Freshservice console including: "-----BEGIN PRIVATE KEY-----", "\n-----END PRIVATE KEY-----\n" and all line breaks "\n".
  2. Domain information is the name of the domain for which you would like to enable SaaS discovery. Ensure that you add the domain without "www".
  3. Email is the admin email address of the service account. 
  4. Label is a reference ID for the integration. (Ex: G suite discovery)

Usecases

Now that you've successfully installed the GSuite orchestration app, please have a look at the sample use case below to show how the app can be used efficiently.