External System
Grouper uses directory APIs to manage groups: https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups. Group fields and attributes are below.
| Grouper name | Attribute or field | Type | Required? | Description |
|---|---|---|---|---|
| id | field | String | required | UUID read from GCP. Select only. |
| name | field | String | required | Name of the group in GCP. |
| attribute | String | required | Unique email address of the group | |
| description | attribute | String | optional | Description of the group |
| whoCanAdd | attribute | String | optional | Valid values are listed at https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups#resource |
| whoCanJoin | attribute | String | optional | Valid values are listed at https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups#resource |
| whoCanViewMembership | attribute | String | optional | Valid values are listed at https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups#resource |
| whoCanViewGroup | attribute | String | optional | Valid values are listed at https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups#resource |
| whoCanInvite | attribute | String | optional | Valid values are listed at https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups#resource |
| allowExternalMembers | attribute | Boolean | optional | Valid values are listed at https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups#resource |
| whoCanPostMessage | attribute | String | optional | Valid values are listed at https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups#resource |
| allowWebPosting | attribute | Boolean | optional | Valid values are listed at https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups#resource |
Grouper uses directory APIs to manage users: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users. User fields and attributes are below.
| Grouper name | Attribute or field | Type | Required? | Description |
|---|---|---|---|---|
| id | field | String | required | UUID read from GCP. Select only. |
| field | String | required | email address of the user. In GCP, it's called primaryEmail. | |
| familyName | attribute | String | required | Family name (Last name) |
| givenName | attribute | String | required | Given name (First name) |
Configure GCP for development purposes
- Signup for GCP
- Go to IAM & Admin → Groups
- It will say "This feature requires an organization" and at the bottom of the screen, click the button "GO TO THE CHECKLIST"
- Follow the instructions to set up cloud identity, verify your domain.
- In the project allow admin SDK
- Go back to https://console.cloud.google.com/ IAM & Admin.
- Under IAM → Permissions, add a new Principal with role Owner.
- On the left, click on Service Accounts. Create a new service account. Under the newly created service account, create a new key (P12).
- Under the newly created service account, enable Domain-wide Delegation.
- Under the newly created service account, under Permissions, add the Principal you added above.
Scopes should be:
https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member
- The user impersonated as needs to be an admin