Google Cloud
Configuring Google Cloud for Veza Lifecycle Management
Overview
The Veza integration for Google Cloud enables automated user provisioning, access management, and de-provisioning capabilities for Google Workspace. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships for identities
✅
DEPROVISION_IDENTITY
Safely removes or suspends access for identities
✅
SOURCE_OF_IDENTITY
Google Cloud can act as a source system for identity lifecycle policies
✅
This document includes steps to enable the Google Cloud integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
Enabling Lifecycle Management for Google Cloud
Prerequisites
You will need administrative access in Veza to configure the integration and grant API scopes in Google Cloud.
Ensure you have an existing Google Cloud integration in Veza or add a new one for use with Lifecycle Management.
Verify your Google Cloud integration has completed at least one successful extraction.
The Google Cloud integration will need the following additional API scopes:
https://www.googleapis.com/auth/admin.directory.user
- Required for user management operationshttps://www.googleapis.com/auth/admin.directory.group
- Required for group management operationshttps://www.googleapis.com/auth/admin.directory.domain
- Required for domain management capabilitieshttps://www.googleapis.com/auth/admin.directory.rolemanagement
- Required for admin role managementhttps://www.googleapis.com/auth/apps.groups.settings
- Required for detailed group settings managementhttps://www.googleapis.com/auth/cloud-platform
- Required for Cloud Identity API and broader Google Cloud access
Configuration Steps
In Veza, go to the Integrations overview
Search for or create a Google Cloud integration
Check the box to Enable usage for Lifecycle Management
Configure the service account with appropriate permissions:
Users > Read/Write
Groups > Read/Write
Organization Units > Read
Roles > Read/Write
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Supported Actions
Google Cloud can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Google Cloud with changes propagated to connected systems.
Google Cloud can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.
The integration supports the following lifecycle management Actions:
Sync Identities
Primary action for user management (creating or updating users):
Entity Types: Google Workspace User
Create Allowed: Yes (New user identities can be created if not found)
The following attributes can be synchronized:
Manage Relationships
Controls relationships between users and Google Workspace groups:
Supported Relationship Types: Google Workspace Groups
Assignee Types: Google Workspace Users
Supports Removing Relationships: Yes
Both adding and removing group memberships are supported:
Add users to specific Google Workspace groups based on department or role
Remove access when roles change or users leave
Maintain consistent group membership based on organizational structure
Deprovision Identity
When a user is deprovisioned:
Entity Types: Google Workspace User
De-provisioning Methods: Suspend user (preserves user data while preventing access)
User is suspended in Google Workspace
Access to resources is removed
Account information is preserved for audit purposes
Source of Identity
Google Cloud can serve as a source system for identity lifecycle policies, where changes to Google Workspace users trigger workflows in other systems.
Example Workflows
Example: Onboarding Workflow for New Employees
To create a workflow for onboarding new employees:
Create a policy with your source of identity (e.g., Workday or CSV upload)
Configure a workflow for new employees
Add a Sync Identities action to create Google Workspace users:
# Google Workspace User Attributes email: {first_name}.{last_name}@company.com first_name: {first_name} last_name: {last_name}
Add a Manage Relationships action to assign appropriate groups:
Condition:
department eq "Engineering"
Add to: "Engineering Team" group
Condition:
department eq "Sales"
Add to: "Sales Team" group
Example: Offboarding Workflow for Departing Employees
To create a workflow for departing employees:
Create a policy with your source of identity
Configure a workflow with condition:
active eq false
Add a De-provision Identity action:
Entity Type: Google Workspace User
Method: Suspend
Remove All Relationships: Yes
Last updated
Was this helpful?