Description

We are super excited to announce the rolled out of net new SailPoint Google Workspace SaaS Connector in Identity Security Cloud!

This is a SaaS Connector that does not require a Virtual Appliance to run. This SaaS connector provides identity management and governance to protect Google Workspace Accounts, Service Accounts, Domains and the associated Google Groups. This includes aggregation, provisioning, and the management of entitlements at the account level.

The Google Workspace SaaS connector can manage the following Google Cloud objects:

• Google Accounts(Google Workspace Identities + managed Cloud Identities only)
• Service Accounts
• Domains(Google Workspace or Cloud Identity Domain)
• Google Groups

What are the capabilities of Google Workspace SaaS connector?

High-level Capabilities

• Account Operations
  • Load accounts - user, service account, domain
  • Provision accounts - user, service account, domain
  • Access Certifications (certification of entitlements connected to accounts)
  • Password management - Google Workspace User/ Cloud Identity
  • Enable and disable accounts - Google Workspace User/ Cloud Identity and service account
  • Manages Delegated Administrators and Alias on Accounts
  • Move User to Other Organization Unit
  • Provision Custom Schema Attributes
• Group Entitlements
  • Supported Google Workspace objects include:
    • Groups
    • Roles
  • Supported GCP objects are:
    • IAM Roles
    • Projects
    • Folders
    • Resource Permissions
  • Groups, roles, and resource permission for Google Workspace User/ Cloud Identity
  • Resource permission for service account and domain

Documentation

• Integrating SailPoint with Google Workspace SaaS

Note -

• If you are already using a VA based Google Workspace Connector, then there won’t be any changes or impact to it.

If you have any questions, please reach out to us, and we would be more than happy to help you in all possible ways.

Thanks!

In the Virtual Appliance based Google Workspace connector, we are using account.filterString to exclude Service and Domain accounts in the accoun aggregation. We attempted to do this with the SaaS connector, but the filter isn’t working. Is account.filterString not being implemented for this connector?

If you are looking for future enhancements on this connector, it would be great if there could be a configuration setting to exclude Service Accounts.

Hi @Carlatto,

The current account filtering option in the source configuration, which is present in the VA based connector is also available in this SaaS Connector.

For more information, refer to Advanced Settings.

This filtering is applicable to the fields mentioned in this Google Doc - جستجو برای کاربران  |  Admin console  |  Google for Developers.

Looks like there is no OOTB way for filtering the Service and Domain accounts, and you are using product level filtering option via account.filterString. Can you please share on which parameter you are applying filter?

Thanks,
Dinesh

This is the filter we are using on the VA Based Connector:

"account.filterString": "(objectID.containsIgnoreCase(\"serviceAccount\") || objectID.containsIgnoreCase(\"domain\"))"

We tried the same filter on the SAAS Based Connector, but it doesn’t work.

FYI, the “Advanced Settings” link in this comment is dead, and needs to be updated to Advanced Settings

Thanks for sharing — I think the key confusion is filter semantics. The VA-style objectID.containsIgnoreCase(…) doesn’t translate to the Google Workspace SaaS connector the same way, because the SaaS connector is aggregating different account types (users, serviceAccount, domain)

If the goal is “only bring human users,” the clean approach seems to be configuring the connector to aggregate only users (via the connector’s accountTypes setting), rather than trying to reuse VA filterString logic.

Can someone confirm the supported/best-practice way here is setting accountTypes = users to exclude service accounts/domains? If yes, it’d be great to document this explicitly so folks don’t assume VA filters apply 1:1.