Google Cloud

Configuring Google Cloud for Veza Lifecycle Management

Overview

The Veza integration for Google Cloud enables automated user provisioning, access management, and de-provisioning capabilities for Google Workspace. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

Action Type
Description
Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships for identities

DEPROVISION_IDENTITY

Safely removes or suspends access for identities

SOURCE_OF_IDENTITY

Google Cloud can act as a source system for identity lifecycle policies

This document includes steps to enable the Google Cloud integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Google Cloud

Prerequisites

  1. You will need administrative access in Veza to configure the integration and grant API scopes in Google Cloud.

  2. Ensure you have an existing Google Cloud integration in Veza or add a new one for use with Lifecycle Management.

  3. Verify your Google Cloud integration has completed at least one successful extraction.

  4. The Google Cloud integration will need the following additional API scopes:

    • https://www.googleapis.com/auth/admin.directory.user - Required for user management operations

    • https://www.googleapis.com/auth/admin.directory.group - Required for group management operations

    • https://www.googleapis.com/auth/admin.directory.domain - Required for domain management capabilities

    • https://www.googleapis.com/auth/admin.directory.rolemanagement - Required for admin role management

    • https://www.googleapis.com/auth/apps.groups.settings - Required for detailed group settings management

    • https://www.googleapis.com/auth/cloud-platform - Required for Cloud Identity API and broader Google Cloud access

Configuration Steps

  1. In Veza, go to the Integrations overview

  2. Search for or create a Google Cloud integration

  3. Check the box to Enable usage for Lifecycle Management

  4. Configure the service account with appropriate permissions:

    • Users > Read/Write

    • Groups > Read/Write

    • Organization Units > Read

    • Roles > Read/Write

To verify the health of the Lifecycle Management data source:

  1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

  2. Search for the integration and click the name to view details

  3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Google Cloud can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Google Cloud with changes propagated to connected systems.

Google Cloud can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

  • Entity Types: Google Workspace User

  • Create Allowed: Yes (New user identities can be created if not found)

The following attributes can be synchronized:

Google Workspace User Attributes
Property
Required
Type
Description
Notes

email

Yes

String

Primary email address

Unique identifier

first_name

Yes

String

Given name

last_name

Yes

String

Family name

email_addresses

No

Array

Multiple email addresses as a list

Additional email formats

location_areas

No

Array

Location information as a list

organization_names

No

Array

Organization information as a list

Manage Relationships

Controls relationships between users and Google Workspace groups:

  • Supported Relationship Types: Google Workspace Groups

  • Assignee Types: Google Workspace Users

  • Supports Removing Relationships: Yes

Both adding and removing group memberships are supported:

  • Add users to specific Google Workspace groups based on department or role

  • Remove access when roles change or users leave

  • Maintain consistent group membership based on organizational structure

Deprovision Identity

When a user is deprovisioned:

  • Entity Types: Google Workspace User

  • De-provisioning Methods: Suspend user (preserves user data while preventing access)

  • User is suspended in Google Workspace

  • Access to resources is removed

  • Account information is preserved for audit purposes

Source of Identity

Google Cloud can serve as a source system for identity lifecycle policies, where changes to Google Workspace users trigger workflows in other systems.

Example Workflows

Example: Onboarding Workflow for New Employees

To create a workflow for onboarding new employees:

  1. Create a policy with your source of identity (e.g., Workday or CSV upload)

  2. Configure a workflow for new employees

  3. Add a Sync Identities action to create Google Workspace users:

    # Google Workspace User Attributes
    email: {first_name}.{last_name}@company.com
    first_name: {first_name}
    last_name: {last_name}
  4. Add a Manage Relationships action to assign appropriate groups:

    • Condition: department eq "Engineering"

      • Add to: "Engineering Team" group

    • Condition: department eq "Sales"

      • Add to: "Sales Team" group

Example: Offboarding Workflow for Departing Employees

To create a workflow for departing employees:

  1. Create a policy with your source of identity

  2. Configure a workflow with condition: active eq false

  3. Add a De-provision Identity action:

    • Entity Type: Google Workspace User

    • Method: Suspend

    • Remove All Relationships: Yes

Last updated

Was this helpful?