How to Provision Complex and Multi-valued Attributes on Google Workspace

Hi Community,

I’m working with the Google Workspace connector in Identity Security Cloud and have a couple of questions regarding how to correctly format attributes during provisioning, specifically for the “Create Account” operation.

Complex Attributes (e.g., Emails):
Google Workspace expects email attributes in a complex format, like {"address":"[email protected]","type":"other"}. In my provisioning policy, I can easily generate the required email address (e.g., [email protected]) from identity attributes.
My questions are:

1. Do I need to create a Transform (e.g. a Concat type) to manually build the entire JSON string {"address":"...","type":"..."} and insert my email in the address attribute of the JSON?
2. Or, is the connector smart enough that I can simply map the email address string directly to the emails.address (or similar) attribute, and the connector handles constructing the necessary JSON object for the Create Account?

Multi-valued Attributes:
Similarly, for multi-valued attributes (e.g., phone numbers, custom schema fields) that need to be sent during account creation:

1. How should these be handled? Do I need to use a Transform to format the list of values into a specific JSON array string (e.g., ["value1", "value2", "value3"]) before mapping it to the target attribute?
2. Or, can I directly map a multi-valued attribute from SailPoint (like Entitlement values or a multi-valued Identity Attribute), and the connector will correctly format it as an array for the Google Workspace API?

Any insights, examples, or best practices would be greatly appreciated!

@Markharoll -

Great questions — and this comes up frequently when working with the Google Workspace connector in SailPoint IdentityNow (Identity Security Cloud) due to the way Google APIs expect structured (often nested/complex) JSON formats. Let’s break down your questions clearly:

1. Complex Attributes (e.g., emails)

Question:

Do I need to create a Transform to build {"address":"...","type":"..."} or can I just send [email protected] and let the connector handle the JSON structure?

Answer:
Yes — you need to construct the entire JSON object structure yourself, usually via a Transform (e.g., Script, Concat, or Custom). The connector does not automatically wrap a plain string into the necessary JSON object for Google APIs.

Best Practice:

If you want to keep it static and simple, use a static Transform (if type is always work):

{
    "name": "Email-Community",
    "type": "static",
    "attributes": {
        "value": "{\"address\":\"$email\"\"type\":\"work\"}",
        "email": {
            "type": "identityAttribute",
            "attributes": {
                "name": "email"
            }
        }
    }
}

Then map this to the emails attribute in the provisioning policy.

2. Multi-valued Attributes (e.g., phones, keywords, etc.)

Question:

Do I need to transform a list into a JSON array like ["value1", "value2"] or does SailPoint do it?

Answer:
Yes — again, you must format the array structure yourself. ISC does not auto-convert a list of values into the Google Workspace required array-of-objects format.

This is especially true for:

• phones
• keywords
• customSchemas
• organizations

Best Practice:

If it’s a multi-valued list of complex objects, you can use static Transform or relevant transform to build the array properly. Then map the output of this transform directly to keywords, phones, etc. in the provisioning policy.

Summary (Cheat Sheet)

Pro Tip:

If you’re ever unsure what Google expects, test it first with the Google API Explorer or Postman — see what structure it accepts, then replicate that format using Transforms in ISC.

Cheers!!!