Integrations
Google Workspace
title: Google Workspace description: Configure Google Workspace integration for automatic compliance monitoring in Tidal Control sidebar_position: 4
Google Workspace
Configuring Google Workspace integration
Tidal Control's Google Workspace integration monitors your organisation's users, groups, and admin settings for compliance purposes.
What this integration monitors:
- Users: Account status, permissions, and security settings
- Groups: Membership and access controls
- Admin settings: Security policies and configurations
Requirements:
- Super User role in Tidal Control
- Google Workspace super admin rights
- Access to Google Cloud Console and Admin Console
Configuration step-by-step plan
What we're going to do: We'll create a Google service account with the necessary permissions to access your Google Workspace admin data through secure APIs. If you also want to set up GCP, we'll add the required GCP configuration at each step.
Configuration steps:
- Create service account
- Generate JSON key and assign role
- Set up domain-wide delegation
- Configure API scopes
- Enable APIs
- Configure integrations
Step 1: Create service account
- Go to Google Cloud Console at https://console.cloud.google.com
- Log in with account that has project access
- Select your Google Cloud project in project selector
- Navigate to IAM & Admin → Service Accounts
- Click "+ CREATE SERVICE ACCOUNT"
- Fill in service account details:
- Service account name:
Tidal Control Workspace
- Service account ID:
tidal-control-workspace
- Description:
Service account for Tidal Control Google Workspace monitoring
- Service account name:
Step 2: Generate JSON key and assign role
- Skip role assignment by clicking "Continue" twice
- Click "Done" to create service account
- Select new service account from list
- Go to "KEYS" tab
- Click "ADD KEY" → "Create new key"
- Select JSON format
- Download JSON file automatically to computer
- Store file securely - needed for integration setup
For GCP, add this:
- Go to IAM & Admin → IAM in Google Cloud Console
- Click "+ GRANT ACCESS"
- Enter your service account email (format: name@project.iam.gserviceaccount.com)
- Select role: Basic → Viewer
- Click "Save"
Step 3: Set up domain-wide delegation
- Go back to service account details
- Click "Advanced settings" section to expand
- Copy Client ID (save for next step)
- Note service account email (format: name@project.iam.gserviceaccount.com)
- Click "VIEW GOOGLE WORKSPACE ADMIN CONSOLE"
- Navigate to Security → Access and data control → API controls
- Click "MANAGE DOMAIN WIDE DELEGATION"
Step 4: Configure API scopes
- Click "Add new" in domain-wide delegation
- Paste Client ID (from step 3)
- Enter OAuth Scopes (comma separated):
https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group
- Click "AUTHORISE" to assign permissions
For GCP, add this:
- Update OAuth Scopes to include GCP access:
https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/cloud-platform
Step 5: Enable APIs
- Return to Google Cloud Console
- Navigate to APIs & Services → Library
- Search and enable the following API:
- Admin SDK API
- Click "ENABLE" for the API
For GCP, add this:
- Enable additional APIs:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
Step 6: Configure integrations
- Go to Settings → Integrations in Tidal Control
- Click the plus icon next to Google Workspace
- Fill in configuration:
- Name:
Google Workspace
- Service Account JSON: Upload or paste contents of JSON file
- Name:
- Click "Create" to save integration
For GCP, add this:
- Click the plus icon next to Google Cloud Platform
- Fill in configuration:
- Name:
GCP Production Account
- Domain: Your Google Workspace domain (e.g.
company.com
) - Impersonation Subject: Admin email for delegation (e.g.
admin@company.com
) - Service Account JSON: Upload same JSON file
- Name:
- Click "Create" to save integration
One service account, two integrations: You can use the same JSON key file for both Google Workspace and GCP integrations
Configuration fields explained
Service Account JSON:
- Contains authentication credentials for your service account
- Downloaded in step 2 during service account creation
- Keep this file secure - it provides access to your Google environment
For GCP integration (optional):
Domain:
- Your Google Workspace domain name
- For example:
company.com
,organisation.org
- Needed for domain-wide delegation to Workspace resources
Impersonation Subject:
- Email of Google Workspace admin that service account may impersonate
- Must have super admin rights in Google Workspace
- For example:
admin@company.com
,it-admin@organisation.org
- Needed for access to Workspace admin APIs
Verification
Check integration status:
- Settings → Integrations shows "Connected" status for Google Workspace
- Google Workspace test available in Tests section
- Test refresh delivers results without authentication errors
JSON key security: Store the JSON key file securely - it provides access to your Google environment and cannot be downloaded again
Frequently asked questions
Can I use the same service account for multiple Tidal Control environments? Yes, you can reuse the same service account JSON key across different Tidal Control instances.
What happens if I disable domain-wide delegation? The integration will stop working immediately as Tidal Control won't be able to access Workspace admin APIs.
How often does Tidal Control sync Workspace data? Data is synchronized according to your configured test schedule, typically every few hours.
Common problems
"Authentication failed" errors
- Verify the JSON key file is correctly uploaded
- Check if domain-wide delegation is configured with the correct Client ID
- Confirm the impersonation subject has super admin rights
"API not enabled" errors
- Ensure Admin SDK API is enabled in your Google Cloud project
- Wait a few minutes after enabling APIs before testing the integration
"Permission denied" errors
- Verify OAuth scopes are correctly configured in domain-wide delegation
- Check that the service account email matches the one in your JSON key
Still can't figure it out?
Send an email to support@tidalcontrol.com, and we'll get back to you as soon as possible.
Gather support info: Note which browser you're using, exact error messages, and which steps you've already tried. This speeds up the solution considerably.
- Previous
- Google Cloud Platform (GCP)
- Next
- GitHub