- 12 Feb 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Google Workspace - Role Assignments Actions
- Updated on 12 Feb 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Google Workspace - Role Assignments Actions adds or deletes role assignments in Google Workspace.
See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.
General Settings
- Enforcement Set name (required) - The name of the Enforcement Set. A default value is added by Axonius. You can change the name according to your needs.
- Add description - Click to add a description of the Enforcement Set. It is recommended to describe what the Enforcement Set does.
- Run action on assets matching following query (required) - Select an asset category and a query. The Enforcement Action will be run on the assets that match the query parameters.
- A query only returns results for the asset type it was created for.
- Not all asset categories are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.
- Action name (required) - The name of the Main action. A default value is added by Axonius. You can change the name according to your needs.
- Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.
- Use Adapter Credentials - Select this option to use the first connected GSuite adapter credentials.
To use this option, you must successfully configure a Google Workspace adapter connection.
Required Fields
These fields must be configured to run the Enforcement Set.
Role Assignment Action - Select if you want to Create or Delete the role.
Role ID - The numeric ID of the role you want to assign or remove. You can locate this by navigating to https://admin.google.com/ac/roles, selecting the role, and copying the parameter from this parameter in the URL:
Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.
Additional Fields
These fields are optional.
ORG Unit ID - IF you want to create or delete the role only for users that belong to a specific organizational unit, enter the relevant ORG Unit ID.
To get the Org Unit ID for the role
1. Navigate to https://admin.google.com/ac/orgunits
2. Right-click the ORG Unit ID name.
3. Select Inspect.
4. Locate the parameter in the "data-row-id" corresponding to the ORG unit.
Customer ID - Default option is "my_customer", but you can change the default value to your real Google customer ID.
Gateway Name - Select the gateway through which to connect to perform the action.
If Use stored credentials from the Google Workspace is not enabled, these fields are required.
- Email of an admin account to impersonate - The email of your Google Workspace admin.
- Account Profile Name - Name of your Google account profile
- JSON Key pair for the service account - Upload the JSON file you created for your service account. For more details, refer to Google Workspace adapter.
APIs
Axonius uses the Google Workspace - Directory API: Role Assignments.
Required Permissions
This action requires permission to add a user to a group.
Also, this action requires that you enter the following scope in your Google account's Domain Wide Delegation for the Client ID used for this connection (inside the JSON file):
'https://www.googleapis.com/auth/admin.directory.rolemanagement'
For more details about other Enforcement Actions available, see Action Library.