# Provisioning With Google Cloud User provisioning provides you with the ability to continue to manage your organization's users in one place, and have those users populate into StrongDM. Provisioning prevents the need to create a duplicate set of users in StrongDM that already exist in your identity management service. When provisioning users, the users are set up in the external service and are then synced to StrongDM. The provisioned users are not able to be individually edited within StrongDM. Changes to provisioned users are made at the source and are synced to StrongDM afterward. These users in StrongDM are given access to resources in the same manner as native users: by assigning them to roles that contain the desired access permissions. This guide explains how to configure Google Cloud as an identity provider (IdP) for user and group provisioning. Configuration involves creating a Google Cloud service account and setting up the StrongDM Admin UI for provisioning. When done, you can use provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation between Google Cloud and StrongDM. {% hint style="info" %} StrongDM does not allow the alteration and/or escalation of [permission levels](/admin/access/permission-level.md) within StrongDM via integrated services. Our intention is to prevent unintended privilege escalation that could have cascading security consequences. {% endhint %} ### Prerequisites * You must have a Google super administrator account to complete the service account configuration. * You must be familiar with [Google group creation](https://support.google.com/a/answer/9400082). ### Create a Service Account Follow the steps in this section to create a service account. The service account is used to connect to StrongDM. See additional steps in [Google documentation](https://support.google.com/a/answer/7378726). #### Create a project In the Google Cloud console, create a new project. After the project is created, make sure to select your project from the **Select from** dropdown list on the Dashboard page. #### Activate Admin SDK API access 1. In the Google Cloud console, go to **Menu** > **APIs and Services** > **Library**. 2. Search the API library for and select the **Admin SDK API**. 3. Enable the API for your project. #### Create a new service account 1. In the Google Cloud console, go to **Menu** > **APIs and Services** > **OAuth consent screen**. 2. Select the **Internal** user type and click **Create**. 3. Configure the remaining OAuth consent screen information, fill out all mandatory fields, and return to the dashboard. 4. From the **APIs and Services** menu, select **Credentials**. 5. Click **Create credentials** and select **Service account**. 6. Fill out the service account details. 7. Select the service account's email address to configure the service account details. The user you are logged in as is the owner of the service account. 8. From the **Keys** tab, add and then create a new JSON key; the key downloads to your computer. You may rename the key for easier identification. 9. From the **Details** tab, copy the **Unique ID**; you use this in the [following step](#enable-domain-delegation). #### Enable domain delegation 1. Navigate to `admin.google.com`. 2. Go to **Menu** > **Security** > **Access and data control** > **API Controls**. 3. Select **Manage Domain Wide Delegation**. 4. Click **Add new** and paste the **Unique ID** in the **Client ID** field. 5. In the **OAuth Scopes** fields, enter and authorize the following scopes: ```plaintext https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly ``` ### Configure Provisioning in the Admin UI 1. Log in to the StrongDM Admin UI. 2. Go to **Settings** > **User Management**. 3. Under **Provisioning**, select **Google** as the provider. 4. Enter the **Designated user email**. This email address must have [appropriate API resource access](https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority). 5. Import or manually enter the **Service account keyfile (JSON)**; this is the service account [JSON file](#create-a-new-service-account) that downloaded. 6. Click **Activate provisioning**. ![](/files/HWyzWU34mz8gCA2ZwgWB) 7. Select groups to import. Information about group creation and management is available in [Google documentation](https://support.google.com/a/answer/9400082). ![](/files/SYNl7hFev9W9PX07f8uS) Provisioning setup is now complete. ### Provisioning Management in the Admin UI The Admin UI's **Provisioning** section provides important information about your provisioning configuration. ![](/files/4irPtMvckOa4s0YYQgpq) After you are done configuring Google Cloud provisioning, you can view and manage your setup using the following buttons. * **Edit configuration** lets you make changes to your provisioning configuration. * **Sync now** checks for changes in Google Cloud and synchronizes groups. Organizations configured with Google provisioning automatically sync every 15 minutes. That means that changes in Google group memberships may not be reflected immediately in StrongDM. Please be patient while waiting for the periodic sync to complete. * **View and manage groups** displays all groups selected for provisioning and allows you to change your group selection. * **Deactivate provisioning** disables provisioning and converts every Google Cloud-managed user and role into a StrongDM-managed user and role. Deactivation does not delete or suspend users or roles, and it does not change access. Deactivation simply means that Google Cloud can no longer provision accounts and roles in StrongDM. {% hint style="warning" %} If you deactivate Google Cloud provisioning and later activate it again, groups must be reselected. {% endhint %} #### Provisioning properties The following table describes the properties shown in the **Provisioning** section. All properties are read-only. | Property | Description | | --------------------- | -------------------------------------------------------------------------- | | Designated user email | User's Google email address | | Established | When provisioning was activated | | Group Selection | Number of groups currently selected and the last time groups were selected | | Last Activity | Last time changes were found in Google Cloud and applied in StrongDM | | Last Sync | Last time the sync ran to check for changes in Google Cloud | | Provider | Name of identity provider (in this case, Google) | #### Information about groups, roles, and users Google groups correspond to StrongDM roles. When a Google group is selected for provisioning, a role with the same name is provisioned in StrongDM, and all members of that group are provisioned as users assigned to that role. When configuring provisioning in the Admin UI, you must select groups for provisioning in order to get roles provisioned within StrongDM. If you don't select groups, they are not provisioned. The same rule applies when a group has member groups within it—you must select every group and member group in order to get those roles provisioned within StrongDM. Examples 1 and 2 illustrate how selected groups are provisioned as roles and how users are assigned to the roles. **Example 1 group and role assignment** In the example shown, the Engineering group is selected for provisioning. ![](/files/SKdldXZKBjctp7K8ZmMg) This selection causes only the Engineering role to be created. Only the members of Engineering are provisioned as users assigned to the Engineering role. No one from the Marketing group is provisioned. | Users in | Have role(s) | | ----------- | ------------ | | Back End | Engineering | | Core Team | Engineering | | Data | Engineering | | Engineering | Engineering | | Front End | Engineering | | Marketing | None | | QA | Engineering | | UX Team | Engineering | **Example 2 group and role assignment** In the example shown, the following groups are selected for provisioning: * Engineering group * Back End (a member group of Engineering) * Core Team (a member group of Back End) ![](/files/kxrBxnCsTgTSOVEYU7Oo) This selection causes three roles to be provisioned in StrongDM with the following users assigned to them: | Users in | Have role(s) | | ----------- | -------------------------------- | | Back End | Engineering, Back End | | Core Team | Engineering, Back End, Core Team | | Data | Engineering | | Engineering | Engineering | | Front End | Engineering | | Marketing | None | | QA | Engineering, Back End | | UX Team | Engineering | ### Troubleshooting and Tips This section describes some common sync errors that may occur when **Sync now** is selected. These errors are expected behaviors. Please see our recommended solutions. #### Error: A user email set up for Google provisioning exists in a separate StrongDM organization Recommended solution: A user email that exists in one StrongDM organization may not be provisioned into another StrongDM organization. We recommend using different Google workspaces to provision multiple organizations within StrongDM. #### Error: Google user email is changed to match an existing StrongDM user email Recommended solution: Keep each user email unique between StrongDM and Google. If you want to provision a new user from Google that already exists in StrongDM, the Google user takes ownership of the existing StrongDM user (that is, manages it and adds additional Google-specific information). #### Error: Google user group is updated to match an existing role in StrongDM Recommended solution: Keep each group/role name unique between StrongDM and Google. If you want to provision a new group/role from Google that already exists in StrongDM, the Google group takes ownership of the existing StrongDM role (that is, manages it and adds additional Google-specific information). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/principals/provisioning/google-provisioning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.