Salto

Learn how to manage your Google Workspace configuration with Salto

Salto's Google Workspace adapter allows you to:

Fetch and deploy common Google Workspace configuration data, such as groups configuration &amp; Roles

Document configuration changes such as template modifications

Monitor specific changes of interest, e.g., changes in Role and Groups permission

Back Up &amp; Restore Google Workspace configuration ​

- Fetch and deploy common Google Workspace configuration data, such as groups configuration &amp; Roles
- Compare Google Workspace environments
- Document configuration changes such as template modifications
- Monitor specific changes of interest, e.g., changes in Role and Groups permission
- Back Up &amp; Restore Google Workspace configuration ​

- Include groups members and group labels

- Includes Buildings, Rooms and Features ​

- Roles
 - Include permissions
- Groups
 - Include groups members and group labels
- Role assignments
- Domains
- Templates
- OrgUnits
- Schemas (User custom fields)
- Resources
 - Includes Buildings, Rooms and Features ​

Connect your Google Workspace account

To connect Google Workspace to Salto, you must utilize OAuth for authentication. Here’s a step-by-step guide to help you through the process:

First you need to enable the necessary APIs, create <a href="https://developers.google.com/identity/protocols/oauth2/web-server#creatingcred" rel="nofollow noopener noreferrer" target="_blank">authorization credentials</a> and adjust your reauthentication policy. Ensure the OAuth consent screen you're creating is set to Internal. Otherwise, you'll have to re-login every week.

Go to API &amp; Services in your cloud console (<a href="https://console.cloud.google.com/apis" rel="nofollow noopener noreferrer" target="_blank">click here</a>).

Under Enable API &amp; services, enable the following APIs:

- Admin SDK API
- Groups Settings API
- Cloud Identity API

1. Go to API &amp; Services in your cloud console (<a href="https://console.cloud.google.com/apis" rel="nofollow noopener noreferrer" target="_blank">click here</a>).
2. Under Enable API &amp; services, enable the following APIs:
 - Admin SDK API
 - Groups Settings API
 - Cloud Identity API

Navigate to the <a href="https://console.developers.google.com/apis/credentials" rel="nofollow noopener noreferrer" target="_blank">Credentials page</a>.

Click Create credentials -&gt; OAuth client ID.

Select the Web application application type.

Complete the form and click Create.

Set your redirect URI to <a href="https://app.salto.io/google-workspace-oauth2-redirect" rel="nofollow noopener noreferrer" target="_blank">https://app.salto.io/google-workspace-oauth2-redirect</a> .

1. Navigate to the <a href="https://console.developers.google.com/apis/credentials" rel="nofollow noopener noreferrer" target="_blank">Credentials page</a>.
2. Click Create credentials -&gt; OAuth client ID.
3. Select the Web application application type.
4. Complete the form and click Create.
5. Set your redirect URI to <a href="https://app.salto.io/google-workspace-oauth2-redirect" rel="nofollow noopener noreferrer" target="_blank">https://app.salto.io/google-workspace-oauth2-redirect</a> .
6. Copy the Client ID and Client Secret.

Adjust your reauthentication policy

Go to your <a href="https://admin.google.com/ac/security/reauth/admin-tools" rel="nofollow noopener noreferrer" target="_blank">security settings</a>.

Now you have 2 options, the first one is more permissive:

1. Check the 'Never require authentication' checkbox and click OVERRIDE.
2. Set your account to never require authentication for a specific app only:
 1. Under Require reauthentication section, check the Exempt Trusted apps checkbox and click OVERRIDE.
 2. Go to the <a href="https://admin.google.com/ac/owl/list?tab=configuredApps" rel="nofollow noopener noreferrer" target="_blank">Apps Access Control</a> page.
 3. Click Add app -&gt; OAuth App Name Or Client ID.
 4. Paste the client ID of the OAuth app you copied in the the in the previous section and click search.
 5. Select the app and check the relevant OAuth Client ID checkbox.
 6. Continue with the default scope.
 7. Under Access to Google Data check the Trusted checkbox and continue.
 8. View your configuration and click Finish.

1. Go to your <a href="https://admin.google.com/ac/security/reauth/admin-tools" rel="nofollow noopener noreferrer" target="_blank">security settings</a>.
2. Now you have 2 options, the first one is more permissive:
 1. Check the 'Never require authentication' checkbox and click OVERRIDE.
 2. Set your account to never require authentication for a specific app only:
 1. Under Require reauthentication section, check the Exempt Trusted apps checkbox and click OVERRIDE.
 2. Go to the <a href="https://admin.google.com/ac/owl/list?tab=configuredApps" rel="nofollow noopener noreferrer" target="_blank">Apps Access Control</a> page.
 3. Click Add app -&gt; OAuth App Name Or Client ID.
 4. Paste the client ID of the OAuth app you copied in the the in the previous section and click search.
 5. Select the app and check the relevant OAuth Client ID checkbox.
 6. Continue with the default scope.
 7. Under Access to Google Data check the Trusted checkbox and continue.
 8. View your configuration and click Finish.

Now, you can connect your Google Workspace account within Salto:

To access the application connection screen, navigate to the environment's settings tab and select the 'Application Connections' section.

In the 'Application Connections' screen, click on 'Connect an application' and choose Google Workspace.

Provide the Client ID and Client Secret you obtained earlier.

1. To access the application connection screen, navigate to the environment's settings tab and select the 'Application Connections' section.
2. In the 'Application Connections' screen, click on 'Connect an application' and choose Google Workspace.
3. Provide the Client ID and Client Secret you obtained earlier.
4. Proceed to the consent screens.