Hello everyone,
Current Environment:
- Two separate Google Workspace tenants (GW1 and GW2)
- Primary user identities exist in GW1, with GW1.com account (source tenant)
- GW2 (target tenant) has configured cross-domain group memberships to accept GW1 users
Business Requirement: We want to implement access governance for GW2 group memberships through SailPoint IGA platform, while:
- Maintaining users’ primary identities in GW1 only
- Not provisioning duplicate user accounts in GW2
- Managing cross-tenant group memberships via SailPoint Access Profiles
Technical Objective: Configure SailPoint to:
- Create Access Profiles that map to GW2 groups
- Enable access request workflows for GW2 group memberships
- Upon approval, grant GW1 users membership to GW2 groups using their existing GW1 identities
- Maintain the principle of identity singularity, no creation of GW2 account
We tried using the default Google workspace connector but it always tries to create the GW2 account and use it.
Have you encountered this question and do you have any feedbacks ?
We were thinking of setting up a Web Service connector, does that seems feasible to you ?
Kind regards,
David