The Google Apps Multi-Domain connector is designed to be used in environments where either multiple Google domains exist, or a single domain exists under a single Google tenancy with multiple “ORGs” set up within it.

For example, the Identity functionalities of this connector enable you as an Identity administrator to configure Google Apps as a connected system and then make Identity users part of the Google Apps system. This enables the user or Identity administrator to reset Google Apps account passwords. This also enables you to create, retrieve, update, and delete user accounts, nicknames, and e-mail groups.

The Provisioning functionalities of this connector enable exporting and importing user accounts on a Google Apps system.

 

Fischer's Google Apps Multi-Domain connector integration supports the following functionality:

 

Prerequisites

Ensure that these prerequisites are satisfied:

1. Create the service account.
   
   An account with administrative privileges is required to execute the directory API. (Note: If there is already an admin account available to use, this step can be skipped). Only administrators can create an admin account. The following steps are required to create the service account.
   1. Login to the GoogleApps admin console. https://admin.google.com/AdminHome) using an existing admin account. Click on the Users menu.
      
      
      

   2. Click on the Users menu.
      
      
      

   3. Select Add user button.
      The Create a new user page displays.

      
      

       

   4. Enter the new user details. Click 'ADDITIONAL INFO' to give more information, if needed.

      Select the option Add a user manually option and click continue
      The Create a new user page displays.

      

       

   5. Enter the additional information of the user and click the Create button.

   6. Once the new user is created, select the Admin Roles option from the main menu.

      

   7. Add the service account to the Super Admin role.

   8. Login to admin console with the new user credentials. From the admin console of the new admin account, select the menu Apps. Make sure that in the APPS SETTINGS _ G Suite list has Groups for Business with status 'On for everyone', as in the screen below.
      

    

2. Enable API Access
   Once the service account is activated, it requires access to the administrative APIs. This is also done from the admin console.

   
   

    

   1. Select the security menu and choose the API reference option. 

   2. Check the Enable API access check box.
      

   3. Apply the changes using the Save Changes button.
3. Activate Admin SDK
   

   The service account authentication option of the directory is required for this connector. 

   
   

   1. Create a project in Google APIs console. Use the link https://code.google.com/apis/console to create the project. 

   2. Use the Create project... button to create the new API project. This will display the Google Developers Console. Click Create project.
      

   3. Enter project name and click CREATE.
      
      
      

   4. The Google Developers Console page is shown below. The Google Apps APIs are listed here. Select A

      
      

      
      

   5. Select the enable button to turn on the Admin SDK APIs.
      
      

      
      
      
      
      

   6. The ADMIN SDK’S dashboard will display as shown below. Similarly, the different API’s like Calendar API, Group Settings API, etc., can be enabled 
      
      
      
   7. Select Credentials and enter 'Product name shown to users' in the OAuth consent screen and click Save button.
      
      
      
   8. Select the IAM & Admin page as directed below. "Products & Services" _ IAM & Admin.
      
      
      
      
   9. Select 'Service accounts' in the 'IAM & Admin' page to get service accounts for the project. Click CREATE SERVICE ACCOUNT.
      
      
      
   10. The Create service account screen will be displayed as shown below. Enter Service account name and Select your Role. Check the 'Furnish a new private key' and 'Enable G Suite Domain-wide Delegation' check boxes. Select the Key type 'P12' for the private key. Click CREATE button.
       
       
       
       
       

   11. The service account haws been created and generated a new Public-Private key with default private key password 'notasecret'.

        

       

   12. Select the Save File and click OK button to download in internet browser. Here the private key file gets downloaded.

       
       
       

   13. Store the key file in a location on the Identity/Provisioning Server. This file can be chosen as the 'Service Account Private Key' in the Google Apps Multi domain connected system details page.
       
       
   14. The service accounts page displays as show below. Click the View Client ID to get the client ID.
       
       
       

   15. The Client ID for the service account client displays. Store the 'Client ID' and 'Service account' information for further use.
       
       
       

       The service account details will be populated in the page ’Client ID for the service account'. These details are required while authorizing the service account to execute the API and while connecting to Google apps using the service account.

       In this case, the values are:
       Client ID: 113822069952190990035
       Service Account email address: serviceaccount1@my-project1-149814.iam.gserviceaccount.com

        

4. Authorize Service Account
   In order to use the service account, API client access must be granted. From the Google Admin console perform the following steps. Select Security _ Advanced Settings _ Manage OAuth Client access.
   
   

   1. Select the Security section for the admin console.
      
      
   2. Click Show more to get advanced settings.
      
      
      
   3. Select 'Manage API client access' in 'advanced settings' to authenticate the service account.
      
      
      

   4. The ‘Manage API client access’ displays. Enter ‘Client Name’ and ‘API Scopes’ of service account details and click the Authorize button.
      
      
      

   • Client Name is the Client ID of the service account. In the below example, it is 113822069952190990035. The API Scope is controlled by scope of access. Based on the object the API is accessing/managing, there are separate scopes. Set it based on your API access requirement. For example, use the scope https://www.googleapis.com/auth/admin.directory.user when the service account is required to manage users. Additional scopes for service account can also be entered; if required (comma delimited). See Minimal Scopes Required for Connector Execution. https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.readonly

   • The API scopes added are view and manage users and groups on the domain. The comma separated API Scopes given are: 
     https://www.googleapis.com/auth/admin.directory.user,
     https://www.googleapis.com/auth/admin.directory.user.readonly,
     https://www.googleapis.com/auth/admin.directory.group,
     https://www.googleapis.com/auth/admin.directory.group.readonly

     The Manage API client access page displays which contains this given client as an authorized API clients. 

   
   
   

   Minimal Scopes Required for User/Group in Connector Execution

5. The following are the minimal scopes required for connector execution.
   
   

   Scope Feature https://www.googleapis.com/auth/admin.directory.user 1. Enable User 2. Disable User 3. User Import 4. Group Import https://www.googleapis.com/auth/admin.directory.user.readonly 1. Test Connection 2. Validate User 3. Lookup 4. User Export https://www.googleapis.com/auth/admin.directory.group.readonly 1. Group Export 2. Lookup https://www.googleapis.com/auth/admin.directory.group 1. Group Import 2. User Import https://www.googleapis.com/auth/apps.groups.settings  1.Group Settings Attribute Export 2. Group Settings Attribute Import

   
   
   Scopes required for Export/Import of Calendar

6. The following are the minimal scopes required for Export/Import of Calendar.
   
   
   

   Scope Feature https://www.apps-apis.google.com/a/feeds/calendar/resource/ Calendar Import/Export

   Google Domain Connected System Page

   
   
   1. The connected systems details page is shown below.
   
   
   

7. Enter the desired information:
   
   

   Definition

   Supported Connectors Displays whether the connected system is Identity only, Provisioning only, or both.

   Type Select the connected system type.

   Locale Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system.

   Name The name for this connected system. Note: The name cannot be modified later.

   Display Name The display name of the new connected system.

   Description The description of the connected system.

   Associated With  Select how the connector associated with this system will run: Server (default) - Runs locally on the Provisioning/Identity Server. Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list. See Using the Global Identity Gateway with Connected Systems for additional information.

   Password Reset By  Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system. Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system. Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.

   Provisioning Option Select the provisioning option: Automated (default) - The connected system functions as a normal connected system; there are no restrictions. Administrative - The connected system cannot be used as an object in a workflow.

   Enable HPAM Support  Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.

   Connection Information

   Admin Email Address The email address of the Google Apps administrative account.

   Service Account Email Address The email address of the service account. Use service accounts to call google api on behalf of the application instead of an end-user.

   Service Account Private Key The path to the private key of the service account (note: once the connected system is added, the location will not be visible from the admin UI)

   Private Key Password Provide the private key password as the value of this parameter. This is used only while parsing the private key and not used in runtime while creating Google apps connection.

   Admin Password Password of the Google Apps administrative account.

   Configiuration Details

   Password Hash Algorithm Specify the password hash algorithm: None, MD5, or SHA-1.

   Password Expiration Support

   Expiration Options For Admin/OBO User Password Reset  Specify the password expiration: None, Immediate, or Immediate with Date. Note: If Immediate with Date is selected, Immediate is also available. The Detect button creates a connection to the connected system using current configuration settings. The connector then attempts to determine correct values for the settings, which are auto-detected, and then these settings are updated with detected values.

   System Owner  Add or Remove users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process.

   Add/Remove Adds or removes users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process.

8. Click the Test Connection button to test the Connection Information:

   • If successful, one or both of these messages may display:

   Message: Connection from Provisioning to the connected system was established successfully.
   Message: Connection from Identity to the connected system was established successfully.

   • If unsuccessful, one or both of these messages may display:

   Error: Failed to establish connection from Provisioning to the connected system.
   Error: Failed to establish connection from Identity to the connected system.

   
   Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs.

9. (Optional) To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:
   
   
   

   1. Select the owners and then click the Select button. The system owner displays under the System Owner section:

      
      

      Note: More than one user can be assigned as an owner.

   2. To add additional system owners, click the Add button.

10. On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:
    
    
    

    1. Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 8.

    2. Click the Add Association button to associate the selected object categories to the connected system.

11. Click the Back button to return to the Connected System View page. The new connected system displays in the list.

See Copying, Modifying, and Deleting Connected Systems for additional information.

Creating the Connected System in the Studio

1. Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.
   
   
2. Select the Google Apps  connected system from the Type drop-down list. The default values display.
   
   
   

3. Enter the desired information:
   
   

   Definition

   Type Select the connected system type.

   Name  The name for this connected system. Note: The name cannot be modified later.

   Display Name  The display name of the new connected system.

   Description  The description of the connected system.

   Supported Connectors  Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here.

   Associated With  Select how the connector associated with this system will run: Server (default) - Runs locally on the Provisioning/Identity Server. Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list. See the Using the Global Identity Gateway with Connected Systems for additional information.

   Password Reset By  Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system. Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system. Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.

   Provisioning Option  Select the provisioning option: Automated (default) - The connected system functions as a normal connected system; there are no restrictions. Administrative - The connected system cannot be used as an object in a workflow.

   Enable HPAM Support  Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.

   Connection Information

   Admin Email Address The email address of the Google Apps administrative account.

   Service Account Email Address The email address of the service account. Use service accounts to call google api on behalf of the application instead of an end-user.

   Service Account Private Key The path to the private key of the service account (note: once the connected system is added, the location will not be visible from the admin UI)

   Private Key Password Provide the private key password as the value of this parameter. This is used only while parsing the private key and not used in runtime while creating Google apps connection.

   Admin Password Password of the Google Apps administrative account.

   Configuration Details

   Password Hash Algorithm Specify the password hash algorithm: None, MD5, or SHA-1.

   Password Expiration Support

   Expiration Options For Admin/OBO User Password Reset  Specify the password expiration: None, Immediate, or Immediate with Date.

4. Click the Connect button to test the Connection Information:
   • If successful, one or both of these messages may display:

   Connection from Studio to the connected system was established successfully.

   • If unsuccessful, one or both of these messages may display:

   Failed to establish connection from Studio to the connected system.

   Note: If the connection fails, additional messages may display providing more information regarding the failure.

    

5. Click the Apply button to apply changes. The Category Association window displays.

    

   1. Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.

   2. Click the Add button to associate the selected object categories to the connected system.

6. Click OK to accept selected categories.

See Copying, Modifying, and Deleting Connected Systems for additional information.

Using the Connected System for Identity

Perform these procedures to configure the connector:

• Connector Details for Identity
• Identity Password Management

 

Note: The user must agree to Google Apps terms and conditions before most Identity Management functions can be performed.

Identity Password Management

See User Management for details on password management.

Using the Connected System for Provisioning

Perform these procedures to configure the connector:

• Configuring for Export
• Configuring for Import
• Connector Details for Provisioning

Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.

Configuring for Export

Perform these procedures to configure the connector for data export:

• "Configuring the Export Connector
• "Configuring the Export Link" 

From the Workflow and Connectivity Studio, select the Google Multi UserExport workflow listed under the projects folder.
If a workflow does not already exist, create an export workflow. See Workflow and Connectivity Studio for details on creating export workflows.

Configuring the Export Connector

1. In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:
   
   
   
   

2. From the Configure Plug-in tab, set these properties as required:
   
   

   Associated Connected System Select the connected system from the list. The export operation will be done from this connected system.

   Data Formats  Select the type of data format to use: Profiles (default) or ChangeLog.

   DeltaExportMode Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected): OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run. ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not. AllAttributes - Performs a full export of all attributes that contain a value.

   DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.

   DynamicConnectedSystemOption  Select how to control Dynamic System Support (DSS): None - There will not be any Dynamic System Support. Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail. GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.

   ExportMode Select the type of data to export: FullExport - Exports all attributes. DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting.

   Filter  Specify search criteria to determine the objects to be exported from the container specified in ExportDN. Use the Set Filter button that becomes active to create a filter. See "Set Filter" on page 34 for additional information.

   FoldSubRecords If set to TRUE, sub records are folded and returned as attributes.

   GetCalendarById Specify the calendar ID to fetch the details of a Calendar. This property is available only for Calendar data format.

   GetCalendarResourceById Specify the resource ID to fetch the details of a Calendar Resource. This property is available only for Calendar Resource data format.

   GetDeviceByID Specify the ID to fetch the details of a chrome device. This property is available only for Chrome Device data format.

   GetDeviceByResourceID Specify the ResourceID to fetch the details of a mobile device. This property is available only for Mobile Device data format.

   GetGroupByEmail Specify the group email ID to fetch the details of a group. This property is available only for Group data format.

   GetUserByEmail Configuration property with the email of the user. If this property is configured, other export related configuration properties (Filter, Maxresults, ResultsPerPage) are ignored.

   MaxResults Select the maximum number of results that can be returned

   ResultsPerPage Configuration to control the items to be fetched per page.

   Note: Hover the pointer over a property to view its description.

   
   
   

3. The calendar export operation works with the value given in plug-in property GetCalendarById 
   
   

   1. If the value is empty, it exports all calendars from the account which is configured in connected system parameter "Admin Email Address".

   2. If the given value is the same "Admin Email Address" configured in connected system page, it exports the primary calendar of the account. 

   3. If we set the value as another user’s email, it impersonates and export primary calendar of the given account.

       

4. (Optional) Select the Attributes tab. Only standard attributes display:

   
   
   Modify schema attributes using these buttons.
   
   

   Description

   Add  Adds additional attributes to the list. The Add New Attribute dialog displays.

   Export  Exports the schema list to an XML file.

   Import Imports the schema list from an XML file.

   Refresh Schema Dynamically discovers the schema from the connected system. It also includes local as well as global attributes added in the Studio.

   Reset Schema  Resets the schema definition to the default schema prepackaged with the IdM Suite, plus any global variable added.

5. Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
   
   

6. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

   Configuring the Export Link

7. In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:

   

   Description

   Source Attributes  Select the attributes to export.

   Selected Attributes Displays default attributes and those attributes that have been selected from the Source Attributes. Notes: The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not. Usually, the attributes that are selected as mandatory attributes help in identifying or verifying an entry when completing mapping functions.

   Format  Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, whenChanged. During export, the attribute’s value is converted to the specified format. See the Format Date steps below for additional information. Notes: The Format button is only enabled for date attributes. The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.

   Advanced Settings  Displays the Configure Attributes window for configuring advanced settings for attributes. See the Configure Attributes window on page 39 for additional information.

8. From the Attribute Selection tab, select attributes to export.
   
   
9. (Optional) Click the Format button to specify a date/time format to be applied to the selected date type attribute. The Format Date window displays.
   
   
   1. Select the Include Time check box to add the timestamp with the date.
   2. Select the 24 Hour or 12 Hour option button and then select the required date/time format.
   3. Click OK to save the selected format. The Configure Link window displays.
      
      
10. Click OK to save any changes and return to the Workflow and Connectivity Studio window.
    
    
11. Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio documentation for details of deployment options.
    
    
12. Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.

 

Configuring for Import

Perform these procedures to configure the connector for data import:

• Configuring the Import Connector
• Configuring the Import Link
  
  

From the Workflow and Connectivity Studio, select the Google Multi UserAdd, UserModify, or UserDelete workflow listed under the projects folder.

If a workflow does not already exist, create an import workflow. See the Workflow and Connectivity Studio documentation for details on creating import workflows.

 

Configuring the Import Connector

1. In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:
   
   
   

2. From the Configure Plug-in tab, set these properties as required:
   
   

   Associated Connected System Select the connected system from the list. The import operation will be done to this connected system.

   Data Formats  Select the type of data format to use: Profiles (default) or ChangeLog.

   DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.

   DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS): None - There will not be any Dynamic System Support. Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail. GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem. See the Dynamic System Support appendix in the Workflow and Connectivity Studio document for additional information.

   ExecuteGIGAssociatedTaskAsynchronously Property which controls execution mode for GIG associated tasks. If this property is true and the task connected system has GIG association, task is executed asynchronously. If this property is false, GIG associated tasks will execute asynchronously with a blocking call. This blocking call can result in timeout issues if the task takes more time than the SOAP call timeout. This property is ignored if there is no GIG association or task is executed from Studio.

   Id * Enter the attribute that contains the value used to uniquely identify the user account user ID on the connected system.

   loginId * Enter the attribute that contains the value used to uniquely identify the user account login ID on the connected system.

   Notes: * accountDN, Id, and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details. Hover the pointer over a property to view its description.

   

3. For the Calender Data format, Exception Date can be handled with the plugin property named ExDateProcessOnAddEvent.
   Values for this property are: 

    

   1. MarkDayAsExcluded (default) - This marks the exceptional day events as excluded in google page.

   2. CancellEventOnDay - This cancels the event on the given exceptional day.

      1. During add event on Google Calendar with ExDateProcessOnAddEvent value as MarkDayAsExcluded.
         - The Exceptional date (EXDATE) value in attribute recurrence will show as except on google page.
         Example: 9th May 2016 and 11th may 2016 <recurrence>EXDATE;VALUE=DATE:20160509</recurrence><recurrence>EXDATE;VALUE=DATE:20160511</recurrence>
         - The attribute recurrenceDate is not effective.

      2. During add event on Google Calendar with ExDateProcessOnAddEvent value as CancellEventOnDay
         - The Exceptional date ( EXDATE ) value in attribute recurrence show as excluded in google page.
         - This will cancel (will disappear) all recurrence event instances with the given Exceptional Date ( EXDATE ) in attribute recurrence.
         Example: 9th May 2016 and 11th may 2016 <recurrence>EXDATE;VALUE=DATE:20160509</recurrence><recurrence>EXDATE;VALUE=DATE:20160511</recurrence
         - The attribute recurrenceDate is not effective.

      3. Modify an existing event on Google Calendar.
         - ExDateProcessOnAddEvent is not effective here.
         - The attribute recurrenceDate can use to cancel an instance of a recurring event; if the status is cancelled.
         Example: 25th May 2016<recurrenceDate>2016-05-25</recurrenceDate> <status>cancelled</status>

4. (Optional) Select the Attributes tab. Only standard attributes display:

   
   
   

   Modify schema attributes with the buttons.
   
   

5. (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
   
   

6. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

   Configuring the Import Link

7. In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays:

   

   Source Attributes  Select the attributes to import.

   Check for attribute-level auditing. If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes.

   Selected Attributes  Displays default attributes and those attributes that have been selected from the Source Attributes. Note: The default attributes are those that are commonly used to create a new user.

   Advanced Settings  Displays the Configure Attributes window for configuring advanced settings for attributes. Under the Encrypted column, check the box of any attribute that needs to be encrypted. Under the Diff With Target column, check the box of any attribute to update using differencing (DiffWithTarget, AddDiffWithTarget, and RemoveDiffWithTarget).

   Audit Key  Select the attribute to associate with the Audit Key.

8. From the Attribute Selection tab, select attributes to import.

9. (Optional) Select the Appearance tab to change how the link displays in the Design pane.

10. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

11. Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio  for details of deployment options.

12. Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.

Connector Details for Provisioning

Configuration import properties accountDN, Id, and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.

Connector Supported Dataformats

This connector supports four different dataformats for import and export. User, Group, Calendar Resource & Calendar.

USER Dataformat

We can use this data format in import mode to manage users. User management include add/modify/delete user, manage user attributes, user aliases and user’s group memberships.  We can use this in export mode to fetch user attributes, user aliases and user’s group memberships.

API Scopes

Since we are using service account to invoke Google API, the service account must be given access to invoke the API. We are expecting only the minimal access corresponding to the action we are doing. Following are the minimal API access scope required for each user data format operation. We need group level scopes since user data format fetch and manage group memberships.

Connector Attributes

The items in the Export, Create, Modify, and Delete columns have these meanings:

• y = Yes (attribute is supported for this operation)
• n = No (attribute is not supported for this operation)
• y* = Required (attribute is mandatory for this operation)
• NA = Not applicable

 

Contact Attributes for User Dataformat

The acting key attributes used for contact comparison are in following order. If any one of the attribute value get matched, then contact operation (add/modify/delete) would perform accordingly.

1. Contact→Id
2. Contact->Email->Address ( primary)
3. Contact->Email->Address (secondary)
4. Contact-> GivenName
5. Contact-> FullName
6. Contact-> AdditionalName

 

2. Group Dataformat

We can use group data format in import mode to manage groups and group members. We can use this data format in export mode to fetch group details and group members.

API Scopes

Since we are using service account to invoke Google API, the service account must be given access to invoke the API. We are expecting only the minimal access corresponding to the action we are doing. Following are the minimal API access scope required for each user data format operation. We need group level scopes since user data format fetch and manage group memberships.

Configuration Parameters

The following configuration parameters are supported for this data format.

 

Connector Attributes for Group Dataformat

 

Attribute for Group Settings in Group Dataformat

 

Calendar Resource Dataformat

This dataformat is used to manage calendar resources used in creating calendar events. Examples of calendar resources are meeting rooms, projectors, company cars or any other resource that people in the organization  might schedule to use. 

 

Calendar Dataformat

 

We can use this data format to import and manage calendar events in google calendar . Exporting the calendar events is also possible using this dataformat.

API Scopes

Since we are using service account to invoke Google Calendar API v3, the service account must be given access to invoke the API. We are expecting only the minimal access corresponding to the action we are doing. Following are the minimal API access scope required for each calendar data format operation. 

Drive Data Format

We can use this data format to manage folders and permissions.
Google Drive is a file storage and synchronization service provided by Google which enables user cloud storage, folder/file sharing and collaborative editing. Google Drive is the home of Google Docs, an office suite of productivity applications that offer collaborative editing on documents, spreadsheets, presentations, and more.

 

API Scopes

Since we are using service account to invoke Google Drive API v2, the service account must be given access to invoke the API. We are expecting only the minimal access corresponding to the action we are doing. Following are the minimal API access scope required for drive data format operation. 

 

Connector Attributes

Y* attributes are mandatory fields. The attributes which contains -> in name are multi-level attributes. All attributes except “permission->value” can be exported.

Chrome Device Dataformat

We can use this data format to retrieve all Chrome devices for an account and also update or take action on a chrome device.

 

API Scopes

Since we are using service account to invoke Google Drive API v2, the service account must be given access to invoke the API. We are expecting only the minimal access corresponding to the action we are doing. Following are the minimal API access scope required for drive data format operation. 

 

 

Connector Attributes for Chrome Device Dataformat 

 

Y* attributes are mandatory fields. The attributes which contains -> in name are multi-level attributes. All attributes except “permission->value” can be exported.

 

 

Mobile Device Dataformat

We can use this data format to retrieve all Mobile devices for an account, take action on a mobile device or delete a mobile device.

API Scopes

Since we are using service account to invoke Google Directory API, the service account must be given access to invoke the API. We are expecting only the minimal access corresponding to the action we are doing. Following are the minimal API access scope required for each chrome device data format operation.

Connector Attributes for Mobile Device Dataformat 

Y* attributes are mandatory fields. The attributes which contains -> in name are multi-level attributes. All attributes except “permission->value” can be exported.

 

 

Entitlement Support

This connector supports static entitlements in the form of Users or Groups. The non-static entitlement discovery support is only for google groups.  Entitlements are configured from the Admin UI ► Server ► Resources. See the Resource Management chapter in the Identity Suite Administration Guide for details on resources.

To configure entitlements

1. Static Entitlement - On the Resource Detail page, under Entitlement Options, click Add Static Entitlement button, enter a Name and Value, and select the Type.
   If selected type is group, the value should be primary email of group. And if the selected type is attribute, the name should be attribute name and value should be attribute value.
   

2. Entitlement discovery for Groups - On the Resource Detail page, under Entitlement Options, click Add button to get the page for Entitlement Search on Google Apps MultiDomain System as shown below. 
   
   
   
3. Search for google group with Name or Email and criteria. Click Search button. The Google groups list will be displayed as shown below. Select and add group(s).
   

Lookup Data

To filter data, use the Data Mapper rule Lookup Data. The following lookup options will be supported.

1. Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design pane.
   The Configure Data Mapper window displays.
   
   

2. Select the Lookup Data rule under the Mapping Rule column and then click the Source Value.
   The Configure Lookup window displays.
   
   
   

3. Select the GoogleMulti from the Select System drop-down list.

4. In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.

5. Select the Lookup Type (user, group, Calendar Resource, Calendar, Drive, Chrome Device and Mobile Device.) from the drop-down list.

    

   1. Select the lookup method (i.e. User By Email, User By primary Email or User By Filter) for the lookup type user.
      When Lookup Type is group, the lookup methods are "Group By Email", "Group By Domain" and "Group By User Email".

      Type	Name	Argument	Description
      User	User By Email	primaryEmail or alias or userID	Fetch user details by providing user Email or userID. At most one user can be returned.
      	User By Filter	Filter can be on domain name and any one of the attribute email, givenName, and familyName	Fetch users using the filter provided. Can return 0 or more users. This is same as user export by providing filter.
      Group	Group By Email	Group By Email	Fetch group details by providing group Email or GroupID. At most one group can be returned.
      	Groups By Domain	DomainName	Fetch all groups under a domain. If domain name is not provided, groups from all domains are returned.
      	Groups By User Email	primaryEmail	Fetch all groups in which the given user is a member.
      Calendar Resource		Resource Id	Fetch the details of the calendar resource by providing the calendar resource id.
      Calendar		Calendar Id	Fetch the calendar details by providing the calendar id.
      Drive	Drive By ID	Folder Id	Fetch folder details by providing its ID.  At most one file can be returned.
      	Drive By Filter	Filter folders with any one of the attributes:  title, fulltext, labelTrashed, labelStarred and modifiedDate	Fetch folder using the filter provided. Can return 0 or more folders. This is same as folder export by providing filter.
      Chrome Device	Device By ID	Device Id	Fetch chrome device details by providing its Device ID. Atmost one file can be returned.
      	Device By Filter	Filter Chrome device with any one of the attributes: RecentUsders->Email, SerialNumber, Status	Fetch chrome device using the filter provided. Can return 0 or more devices. This is same as chrome device export by providing filter.
      Mobile Device	Device By Resource ID	Resource ID	Fetch mobile device details by providing its Resource ID. Atmost one file can be returned.
      	Device By Filter	Filter Mobile device with any one of the attributes: Email, Name, Status	Fetch mobile device using the filter provided. Can return 0 or more devices. This is same as mobile device export by providing filter.

6. If User by Filter is selected, click the Filter Build button, and then from the Set Filter window, generate the search filter
   
   

   Example:

   
   

   Another Example of  the Set Filter Window for  Drive By Filter:
   

   
   

    

7. Click OK. The updated Configure Lookup window displays.
   

   Example of Lookup screen with Filter:

   

8. Select the Exit as Mapper Task Failed on Lookup Failure check box to exit the task with Failed
   status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default.

9. Click OK.

Canceling a single instance of a Recurring Event

1. In the import link of google multi domain connector, set the date of the specific recurring instance to be deleted in attribute Event→recurrenceDate.
   
   
2. The sample mapper screen to delete a specific recurrence event in a GoogleMD ► DataMapper ► GoogleMD workflow is shown below assuming a calendar with single recurring event.
   

Canceling multiple instances of a Recurring Event

Some sample import-data for the recurring Event add, modify and cancel.

1. Recurrence Event Add
   
   
   
2. Event Modify
   
   
   
3. Event Modify - Recurrence Event Cancellation through recurrenceDate attribute