1 of 1

Google Cloud

Configuring Google Cloud for Veza Lifecycle Management

Overview

The Veza integration for Google Cloud enables automated user provisioning, access management, and de-provisioning capabilities for Google Workspace. This integration allows you to synchronize identity information, manage group memberships, and automate the user lifecycle from onboarding to offboarding.

Action Type

Description

Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

✅

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships for identities

✅

DEPROVISION_IDENTITY

Safely removes or suspends access for identities

✅

SOURCE_OF_IDENTITY

Google Cloud can act as a source system for identity lifecycle policies

✅

This document includes steps to enable the Google Cloud integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Google Cloud

Prerequisites

You will need administrative access in Veza to configure the integration and grant API scopes in Google Cloud.
Ensure you have an existing Google Cloud integration in Veza or add a new one for use with Lifecycle Management.
Verify your Google Cloud integration has completed at least one successful extraction.
The Google Cloud integration will need the following additional API scopes:
- https://www.googleapis.com/auth/admin.directory.user - Required for user management operations
- https://www.googleapis.com/auth/admin.directory.group - Required for group management operations
- https://www.googleapis.com/auth/admin.directory.domain - Required for domain management capabilities
- https://www.googleapis.com/auth/admin.directory.rolemanagement - Required for admin role management
- https://www.googleapis.com/auth/apps.groups.settings - Required for detailed group settings management
- https://www.googleapis.com/auth/cloud-platform - Required for Cloud Identity API and broader Google Cloud access

Configuration Steps

In Veza, go to the Integrations overview
Search for or create a Google Cloud integration
Check the box to Enable usage for Lifecycle Management
Configure the service account with appropriate permissions:
- Users > Read/Write
- Groups > Read/Write
- Organization Units > Read
- Roles > Read/Write

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Google Cloud can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Google Cloud with changes propagated to connected systems.

Google Cloud can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

Entity Types: Google Workspace User
Create Allowed: Yes (New user identities can be created if not found)

The following attributes can be synchronized:

Google Workspace User Attributes

Property

Required

Type

Description

Notes

Yes

String

Primary email address

Unique identifier

first_name

Yes

String

Given name

last_name

Yes

String

Family name

email_addresses

Array

Multiple email addresses as a list

Additional email formats

location_areas

Array

Location information as a list

organization_names

Array

Organization information as a list

Manage Relationships

Controls relationships between users and Google Workspace groups:

Supported Relationship Types: Google Workspace Groups
Assignee Types: Google Workspace Users
Supports Removing Relationships: Yes

Both adding and removing group memberships are supported:

Add users to specific Google Workspace groups based on department or role
Remove access when roles change or users leave
Maintain consistent group membership based on organizational structure

Deprovision Identity

When a user is deprovisioned:

Entity Types: Google Workspace User
De-provisioning Methods: Suspend user (preserves user data while preventing access)
User is suspended in Google Workspace
Access to resources is removed
Account information is preserved for audit purposes

Source of Identity

Google Cloud can serve as a source system for identity lifecycle policies, where changes to Google Workspace users trigger workflows in other systems.

Example Workflows

Example: Onboarding Workflow for New Employees

To create a workflow for onboarding new employees:

Create a policy with your source of identity (e.g., Workday or CSV upload)
Configure a workflow for new employees

Add a Sync Identities action to create Google Workspace users:

# Google Workspace User Attributes
email: {first_name}.{last_name}@company.com
first_name: {first_name}
last_name: {last_name}

Add a Manage Relationships action to assign appropriate groups:
- Condition: department eq "Engineering"
  - Add to: "Engineering Team" group
- Condition: department eq "Sales"
  - Add to: "Sales Team" group

Example: Offboarding Workflow for Departing Employees

To create a workflow for departing employees:

Create a policy with your source of identity
Configure a workflow with condition: active eq false
Add a De-provision Identity action:
- Entity Type: Google Workspace User
- Method: Suspend
- Remove All Relationships: Yes

Google Cloud

Configuring Google Cloud for Veza Lifecycle Management

Overview

Action Type

Description

Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

✅

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships for identities

✅

DEPROVISION_IDENTITY

Safely removes or suspends access for identities

✅

SOURCE_OF_IDENTITY

Google Cloud can act as a source system for identity lifecycle policies

✅

This document includes steps to enable the Google Cloud integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Google Cloud

Prerequisites

You will need administrative access in Veza to configure the integration and grant API scopes in Google Cloud.
Ensure you have an existing Google Cloud integration in Veza or add a new one for use with Lifecycle Management.
Verify your Google Cloud integration has completed at least one successful extraction.
The Google Cloud integration will need the following additional API scopes:
- https://www.googleapis.com/auth/admin.directory.user - Required for user management operations
- https://www.googleapis.com/auth/admin.directory.group - Required for group management operations
- https://www.googleapis.com/auth/admin.directory.domain - Required for domain management capabilities
- https://www.googleapis.com/auth/admin.directory.rolemanagement - Required for admin role management
- https://www.googleapis.com/auth/apps.groups.settings - Required for detailed group settings management
- https://www.googleapis.com/auth/cloud-platform - Required for Cloud Identity API and broader Google Cloud access

Configuration Steps

In Veza, go to the Integrations overview
Search for or create a Google Cloud integration
Check the box to Enable usage for Lifecycle Management
Configure the service account with appropriate permissions:
- Users > Read/Write
- Groups > Read/Write
- Organization Units > Read
- Roles > Read/Write

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Google Cloud can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Google Cloud with changes propagated to connected systems.

Google Cloud can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

Entity Types: Google Workspace User
Create Allowed: Yes (New user identities can be created if not found)

The following attributes can be synchronized:

Google Workspace User Attributes

Property

Required

Type

Description

Notes

Yes

String

Primary email address

Unique identifier

first_name

Yes

String

Given name

last_name

Yes

String

Family name

email_addresses

Array

Multiple email addresses as a list

Additional email formats

location_areas

Array

Location information as a list

organization_names

Array

Organization information as a list

Manage Relationships

Controls relationships between users and Google Workspace groups:

Supported Relationship Types: Google Workspace Groups
Assignee Types: Google Workspace Users
Supports Removing Relationships: Yes

Both adding and removing group memberships are supported:

Add users to specific Google Workspace groups based on department or role
Remove access when roles change or users leave
Maintain consistent group membership based on organizational structure

Deprovision Identity

When a user is deprovisioned:

Entity Types: Google Workspace User
De-provisioning Methods: Suspend user (preserves user data while preventing access)
User is suspended in Google Workspace
Access to resources is removed
Account information is preserved for audit purposes

Source of Identity

Google Cloud can serve as a source system for identity lifecycle policies, where changes to Google Workspace users trigger workflows in other systems.

Example Workflows

Example: Onboarding Workflow for New Employees

To create a workflow for onboarding new employees:

Create a policy with your source of identity (e.g., Workday or CSV upload)
Configure a workflow for new employees

Add a Sync Identities action to create Google Workspace users:

# Google Workspace User Attributes
email: {first_name}.{last_name}@company.com
first_name: {first_name}
last_name: {last_name}

Add a Manage Relationships action to assign appropriate groups:
- Condition: department eq "Engineering"
  - Add to: "Engineering Team" group
- Condition: department eq "Sales"
  - Add to: "Sales Team" group

Example: Offboarding Workflow for Departing Employees

To create a workflow for departing employees:

Create a policy with your source of identity
Configure a workflow with condition: active eq false
Add a De-provision Identity action:
- Entity Type: Google Workspace User
- Method: Suspend
- Remove All Relationships: Yes