Google Workspace

Configuring Google Workspace integration

Tidal Control's Google Workspace integration monitors your organisation's users, groups, and admin settings for compliance purposes.

What this integration monitors:

• Users: Account status, permissions, and security settings
• Groups: Membership and access controls
• Admin settings: Security policies and configurations

Requirements:

• Super User role in Tidal Control
• Google Workspace super admin rights
• Access to Google Cloud Console and Google Admin Console (admin.google.com)

Configuration step-by-step plan

What we're going to do: We'll create a Google service account with domain-wide delegation and the necessary permissions to access your Google Workspace admin data through secure APIs. If you also want to set up Google Drive, we'll add the required configuration at each step.

Configuration steps:

1. Create service account
2. Generate JSON key
3. Set up domain-wide delegation
4. Configure API scopes
5. Enable APIs
6. Configure integrations

Step 1: Create service account

• Go to Google Cloud Console at https://console.cloud.google.com
• Log in with account that has project access
• Select your Google Cloud project in project selector
• Navigate to IAM & Admin → Service Accounts
• Click "+ CREATE SERVICE ACCOUNT"
• Fill in service account details:
  • Service account name: Tidal Control Workspace
  • Service account ID: tidal-control-workspace
  • Description: Service account for Tidal Control Google Workspace monitoring

Step 2: Generate JSON key

• Skip role assignment by clicking "Continue" twice
• Click "Done" to create service account
• Select new service account from list
• Go to "KEYS" tab
• Click "ADD KEY" → "Create new key"
• Select JSON format
• Download JSON file automatically to computer
• Store file securely - needed for integration setup

Step 3: Set up domain-wide delegation

• Go back to service account details in Google Cloud Console
• Click "Advanced settings" section to expand
• Copy Client ID (save for next step)
• Go to Google Admin Console at https://admin.google.com
• Navigate to Security → Access and data control → API controls → Domain-wide delegation
• Ensure you have super admin rights in Google Workspace

Step 4: Configure API scopes

• Click "Add new" in the domain-wide delegation screen
• Paste Client ID of the service account (from step 3)
• Enter the OAuth Scopes you need (comma separated):

For Google Workspace:

https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

For Google Drive, add this scope:

https://www.googleapis.com/auth/drive.readonly

• Click "AUTHORISE" to assign permissions

Step 5: Enable APIs

• Return to Google Cloud Console
• Navigate to APIs & Services → Library
• Search and enable the following API:
  • Admin SDK API
• Click "ENABLE" for the API

For Google Drive, also enable:

• Google Drive API

Step 6: Configure integrations

• Go to Settings → Integrations in Tidal Control
• Click the plus icon next to Google Workspace
• Fill in configuration:
  • Name: Google Workspace
  • Service Account JSON: Upload or paste contents of JSON file
  • Impersonation user email: Email of a Google Workspace admin user (e.g. admin@company.com)
• Click "Create" to save integration

For Google Drive, add this:

• Click the plus icon next to Google Drive
• Fill in configuration:
  • Name: Google Drive
  • Service Account JSON: Upload same JSON file
  • Impersonation user email: Same Workspace admin email (e.g. admin@company.com)
• Click "Create" to save integration

Configuration fields explained

Name:

• A descriptive name for this integration
• For example: Google Workspace, Google Drive

Service Account JSON:

• Contains authentication credentials for your service account
• Downloaded in step 2 during service account creation
• Keep this file secure - it provides access to your Google environment

Impersonation user email:

• Email of a Google Workspace admin user that the service account will impersonate
• This user must have super admin rights in Google Workspace
• For example: admin@company.com, it-admin@organisation.org
• Required for access to Workspace admin APIs and Drive

Verification

Check integration status:

• Settings → Integrations shows "Connected" status for Google Workspace
• Google Workspace test available in Tests section
• Test refresh delivers results without authentication errors

Frequently asked questions

Can I use the same service account for multiple Tidal Control environments? Yes, you can reuse the same service account JSON key across different Tidal Control instances.

What happens if I disable domain-wide delegation? The integration will stop working immediately as Tidal Control won't be able to access Workspace admin APIs.

How often does Tidal Control sync Workspace data? Data is synchronized according to your configured test schedule, typically every few hours.

Common problems

"Authentication failed" errors

• Verify the JSON key file is correctly uploaded
• Check that domain-wide delegation is configured with the correct Client ID
• Confirm the impersonation user email belongs to a user with super admin rights

"API not enabled" errors

• Ensure Admin SDK API is enabled in your Google Cloud project
• Wait a few minutes after enabling APIs before testing the integration

"Permission denied" errors

• Verify OAuth scopes are correctly configured in domain-wide delegation
• Check that the impersonation user email is a real Workspace admin user, not the service account email

Still can't figure it out?

Send an email to support@tidalcontrol.com, and we'll get back to you as soon as possible.