Google Workspace

 

The Google Workspace Integration in Timus Manager enables seamless synchronization of your Google Workspace users and groups into your cloud environment. This allows centralized identity management, automated provisioning, and precise access control—ideal for organizations using Google Workspace as their primary identity provider.

What This Integration Enables

  • Synchronize users and groups from Google Workspace into Timus
  • Automatically assign synced users to the Google Workspace Users team
  • Control access to specific Cloud Gateways (Sites) by group
  • Optionally enable Remote Access for VPN-style connectivity
  • Maintain continuous synchronization using a secure service account

After initial configuration, the Preferences tab in Timus Manager is unlocked for managing group mappings and access rules.

 

Prerequisites

Before getting started, ensure you have:

  • Administrator access to the Google Cloud Console and Google Workspace Admin Console
  • A Client ID, Client Secret, and Customer ID
  • A Service Account JSON key file (max 10KB)
  • Assigned the required admin roles:
    • Groups Reader
    • User Management Admin

Create a Google Cloud Project & Credentials

To establish the integration, follow the steps below to configure your Google Cloud project and generate the required credentials.

 

Create a Google Cloud Project

  1. Access the Google Cloud Console
    Navigate to Google Cloud Console

     
  2. Select the Appropriate Organization
    In the “Select Organization” dropdown, choose your organization.

⚠️ Important: Ensure the correct organization is selected to avoid errors during resource synchronization or IAM policies application.


 

If your organization does not appear:

  1. Open the Hamburger menu (☰) → IAM & AdminIdentity & Organization.
  2. Locate and select your organization from the list.

  1. Click Create Project
  2. Enter the following:
    • Project Name
    • Select the Organization
    • Set Location (parent org or folder)
  3. Click Create


 

Enable Admin SDK API

  1. Navigate to APIs & Services → Library in the Google Cloud Console
  2. Search for Admin SDK API
  3. Select Admin SDK API from the results
  4. Click Enable

Create OAuth 2.0 Credentials (Client ID & Client Secret)

  1. Go to APIs & Services → Credentials
  2. Click Create Credentials → OAuth Client ID

If prompted, configure the OAuth Consent Screen:

  • Add an App Name and Support Email
  • (Optional) Upload a logo
  • Provide Developer Contact Information
  1. Under Application Type, select Web Application

 

  1. For Authorized Redirect URIs, enter: https://auth.timuscloud.com/user/external

  1. Select Admin SDK API as the target API
  2. Choose User Data as the data scope
  3. After credentials are generated:
    • Copy and securely store the Client ID and Client Secret

Create a Service Account & Generate JSON Key

  1. Go to IAM & Admin → Service Accounts
  2. Click Create Service Account

  1. Fill in the requested fields.
  2. Click Create and Continue
  3. Under Grant access, assign the role:
    • Basic → Viewer

  1. Click Done
  2. Open the created service account and go to Keys tab
  3. Click Add Key → Create New Key

  1. Choose JSON as the key type
  2. Click Createa .json key file will be downloaded automatically

Store this file securely. You will upload it into Timus Manager later.

⚠️ If “Service Account Key Creation” Fails

If you see an error such as “Service account key creation has been disabled by organization policy”, follow these steps to resolve it.

Service account key creation has been disabled by organization policyService account key creation has been disabled by organization policy

Step 1 Switch to Organization-Level View
  1. In Google Cloud Console, go to IAM & Admin → Organization Policies.
  2. At the top of the page, change the scope from your project to the Organization.

Switch to organization-level view in Google Cloud ConsoleSwitching to organization-level policy view.

Step 2 Locate Disabled Service Account Policies

Search for the following two policies in the filter bar:

  • constraints/iam.disableServiceAccountKeyCreation
  • constraints/iam.disableServiceAccountKeyCreationForLegacy

Search for Service Account key creation policyScreenshot 2: Locating the service account key creation policies.

Step 3 Edit and Disable Enforcement
  1. Click the ⋮ (ellipsis) icon next to each policy and choose Edit Policy.
  2. Check Override Parent Policy.
  3. Set Enforcement to Off.
  4. Click Save.

Disable policy enforcementDisabling enforcement for policy.

Both of these policies must be inactive (Not enforced) before attempting to create the JSON key..

Step 4 Retry JSON Key Creation
  1. Return to IAM & Admin → Service Accounts → Keys.
  2. Click Add Key → Create New Key → JSON.
  3. The JSON key should now generate successfully.

Successful JSON key creationSuccessful creation of JSON key after policy adjustment.

These policies are typically enforced by default. Temporarily disabling them allows integration setup. You may re-enable them later according to your organization’s security policy.

Assign Admin Roles in Google Admin Console

  1. Go to Google Admin Console
  2. Navigate to Account → Admin Roles
    • Assign “Groups Reader” Role
  3. Select Groups Reader → click Assign Admin
  4. Paste the Service Account email address
  5. Click Add → then Assign Role
    • Assign “User Management Admin” Role
  6. Repeat the above steps for the User Management Admin role

These roles are required to read group and user data but do not allow modification of any Google Workspace content.

Find Your Google Workspace Customer ID

  1. In the Google Admin Console, go to Account → Account Settings
  2. Locate your Customer ID
  3. Copy this value for use in the Timus integration screen

Configure the Integration in Timus Manager

  1. Go to Settings → Integrations
  2. Click ⚙️ → Manage on the Google Workspace card
  3. In the Configuration tab:
    • Paste your Client ID, Client Secret, and Customer ID
    • Upload your Service Account JSON file
  4. Click Save to activate the integration

The Preferences tab will be enabled only after a successful configuration.

Enable Synchronization

  1. Open the Preferences tab
  2. Toggle Synchronization Status to ON
  3. Confirm the Last Sync timestamp to verify that data is syncing correctly

🔄 Synchronization will continue periodically while the agent remains active and authorized.

Map Groups & Configure Access

In the Mapping section:

  1. Select Google Workspace groups from the list
  2. Under Allowed Sites, define which site they can access
  3. Optionally, enable Remote Access for VPN-style connectivity

Site permissions apply immediately and can be adjusted later under Users or via Bulk Actions.

Post-Sync Behavior

  • Synced users appear under Users & Teams → Users
  • By default, users are added to the Google Workspace Users team
  • Google Workspace group memberships are re-evaluated during each sync
  • Manual team assignments remain unless overridden by future sync mappings

Disable the Integration

To deactivate:

  1. Navigate to Settings → Integrations.
  2. Click the ⚙️ → Disable on the Google Workspace card.

Disabling the integration will:

  • Stop all future synchronization events
  • Preserve existing users and teams
  • Unlink group mappings
  • Allow you to re-enable the connection later if needed

 

🔐 Security & Data Handling

  • All communication uses OAuth 2.0 with securely stored encrypted tokens
  • The Service Account JSON key is stored encrypted and never exposed
  • Timus uses read-only access to Google data; no user or group is modified
  • Timus does not write back or make changes to your Google Workspace directory
  • Permissions and access policies within Timus are managed internally and do not propagate to Google
  • JSON key or OAuth credentials can be revoked at any time from the Google Cloud Console


 

Updated

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.