Integrations

Google Workspace


title: Google Workspace description: Configure Google Workspace integration for automatic compliance monitoring in Tidal Control sidebar_position: 4

Google Workspace

Configuring Google Workspace integration

Tidal Control's Google Workspace integration monitors your organisation's users, groups, and admin settings for compliance purposes.

What this integration monitors:

  • Users: Account status, permissions, and security settings
  • Groups: Membership and access controls
  • Admin settings: Security policies and configurations

Requirements:

  • Super User role in Tidal Control
  • Google Workspace super admin rights
  • Access to Google Cloud Console and Admin Console

Configuration step-by-step plan

What we're going to do: We'll create a Google service account with the necessary permissions to access your Google Workspace admin data through secure APIs. If you also want to set up GCP, we'll add the required GCP configuration at each step.

Configuration steps:

  1. Create service account
  2. Generate JSON key and assign role
  3. Set up domain-wide delegation
  4. Configure API scopes
  5. Enable APIs
  6. Configure integrations

Step 1: Create service account

  • Go to Google Cloud Console at https://console.cloud.google.com
  • Log in with account that has project access
  • Select your Google Cloud project in project selector
  • Navigate to IAM & Admin → Service Accounts
  • Click "+ CREATE SERVICE ACCOUNT"
  • Fill in service account details:
    • Service account name: Tidal Control Workspace
    • Service account ID: tidal-control-workspace
    • Description: Service account for Tidal Control Google Workspace monitoring

Step 2: Generate JSON key and assign role

  • Skip role assignment by clicking "Continue" twice
  • Click "Done" to create service account
  • Select new service account from list
  • Go to "KEYS" tab
  • Click "ADD KEY""Create new key"
  • Select JSON format
  • Download JSON file automatically to computer
  • Store file securely - needed for integration setup

For GCP, add this:

  • Go to IAM & Admin → IAM in Google Cloud Console
  • Click "+ GRANT ACCESS"
  • Enter your service account email (format: name@project.iam.gserviceaccount.com)
  • Select role: Basic → Viewer
  • Click "Save"

Step 3: Set up domain-wide delegation

  • Go back to service account details
  • Click "Advanced settings" section to expand
  • Copy Client ID (save for next step)
  • Note service account email (format: name@project.iam.gserviceaccount.com)
  • Click "VIEW GOOGLE WORKSPACE ADMIN CONSOLE"
  • Navigate to Security → Access and data control → API controls
  • Click "MANAGE DOMAIN WIDE DELEGATION"

Step 4: Configure API scopes

  • Click "Add new" in domain-wide delegation
  • Paste Client ID (from step 3)
  • Enter OAuth Scopes (comma separated):
    https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group
    
  • Click "AUTHORISE" to assign permissions

For GCP, add this:

  • Update OAuth Scopes to include GCP access:
    https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/cloud-platform
    

Step 5: Enable APIs

  • Return to Google Cloud Console
  • Navigate to APIs & Services → Library
  • Search and enable the following API:
    • Admin SDK API
  • Click "ENABLE" for the API

For GCP, add this:

  • Enable additional APIs:
    • Identity and Access Management (IAM) API
    • Cloud Resource Manager API

Step 6: Configure integrations

  • Go to Settings → Integrations in Tidal Control
  • Click the plus icon next to Google Workspace
  • Fill in configuration:
    • Name: Google Workspace
    • Service Account JSON: Upload or paste contents of JSON file
  • Click "Create" to save integration

For GCP, add this:

  • Click the plus icon next to Google Cloud Platform
  • Fill in configuration:
    • Name: GCP Production Account
    • Domain: Your Google Workspace domain (e.g. company.com)
    • Impersonation Subject: Admin email for delegation (e.g. admin@company.com)
    • Service Account JSON: Upload same JSON file
  • Click "Create" to save integration
Tip

One service account, two integrations: You can use the same JSON key file for both Google Workspace and GCP integrations

Configuration fields explained

Service Account JSON:

  • Contains authentication credentials for your service account
  • Downloaded in step 2 during service account creation
  • Keep this file secure - it provides access to your Google environment

For GCP integration (optional):

Domain:

  • Your Google Workspace domain name
  • For example: company.com, organisation.org
  • Needed for domain-wide delegation to Workspace resources

Impersonation Subject:

  • Email of Google Workspace admin that service account may impersonate
  • Must have super admin rights in Google Workspace
  • For example: admin@company.com, it-admin@organisation.org
  • Needed for access to Workspace admin APIs

Verification

Check integration status:

  • Settings → Integrations shows "Connected" status for Google Workspace
  • Google Workspace test available in Tests section
  • Test refresh delivers results without authentication errors
Warning

JSON key security: Store the JSON key file securely - it provides access to your Google environment and cannot be downloaded again

Frequently asked questions

Can I use the same service account for multiple Tidal Control environments? Yes, you can reuse the same service account JSON key across different Tidal Control instances.

What happens if I disable domain-wide delegation? The integration will stop working immediately as Tidal Control won't be able to access Workspace admin APIs.

How often does Tidal Control sync Workspace data? Data is synchronized according to your configured test schedule, typically every few hours.

Common problems

"Authentication failed" errors

  • Verify the JSON key file is correctly uploaded
  • Check if domain-wide delegation is configured with the correct Client ID
  • Confirm the impersonation subject has super admin rights

"API not enabled" errors

  • Ensure Admin SDK API is enabled in your Google Cloud project
  • Wait a few minutes after enabling APIs before testing the integration

"Permission denied" errors

  • Verify OAuth scopes are correctly configured in domain-wide delegation
  • Check that the service account email matches the one in your JSON key

Still can't figure it out?

Send an email to support@tidalcontrol.com, and we'll get back to you as soon as possible.

Info

Gather support info: Note which browser you're using, exact error messages, and which steps you've already tried. This speeds up the solution considerably.

Next
GitHub