Google Workspace - Role Assignments Actions
  • 19 Sep 2024
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Google Workspace - Role Assignments Actions

  • Dark
    Light
  • PDF

Article summary

Google Workspace - Role Assignments Actions adds or deletes role assignments in Google Workspace.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

Note:

General Settings

  • Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
  • Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

  • Use Adapter Credentials - Select this option to use the first connected GSuite adapter credentials.
Note:

To use this option, you must successfully configure a Google Workspace adapter connection.

Required Fields

These fields must be configured to run the Enforcement Set.

  • Role Assignment Action - Select if you want to Create or Delete the role.

  • Role ID - The numeric ID of the role you want to assign or remove. You can locate this by navigating to https://admin.google.com/ac/roles, selecting the role, and copying the parameter from this parameter in the URL:
    RoleID

  • Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.

Additional Fields

These fields are optional.

  • ORG Unit ID - IF you want to create or delete the role only for users that belong to a specific organizational unit, enter the relevant ORG Unit ID.
    To get the Org Unit ID for the role
    1. Navigate to https://admin.google.com/ac/orgunits
    2. Right-click the ORG Unit ID name.
    3. Select Inspect.
    4. Locate the parameter in the "data-row-id" corresponding to the ORG unit.
    GSuite_ORG_UnitID

  • Customer ID - Default option is "my_customer", but you can change the default value to your real Google customer ID.

  • Gateway Name - Select the Gateway through which to connect to perform the action.

Note:

Connection and Credentials

When Use stored credentials from the adapter is toggled off, some fields are required to create the connection, while other fields are optional.

  • Email of an admin account to impersonate - The email of your Google Workspace admin.
  • Account Profile Name - Name of your Google account profile
  • JSON Key pair for the service account - Upload the JSON file you created for your service account. For more details, refer to Google Workspace adapter.

APIs

Axonius uses the Google Workspace - Directory API: Role Assignments.

Required Permissions

This action requires permission to add a user to a group.

Also, this action requires that you enter the following scope in your Google account's Domain Wide Delegation for the Client ID used for this connection (inside the JSON file):
'https://www.googleapis.com/auth/admin.directory.rolemanagement'


For more details about other Enforcement Actions available, see Action Library.



Was this article helpful?