Google Workspace Capabilities
Last updated: October 7, 2024
After this article...
You'll understand the capabilities our Google Workspace integration provides, and how Lumos interacts with the Google Workspace API.
View users
The mapping between Google Workspace user statuses and Lumos user account statuses is below.
Google Workspace User Status | Lumos Account Status | Lumos User Status* |
active | Active | Active |
suspended | Suspended | Suspended |
archived | Archived | Inactive |
deleted (Google Workspace no longer returns a user) | Deprovisioned | Suspended |
* If you're using Google Workspace as your📄 Source of Truth
Google Workspace API endpoint: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
View a user's entitlements
Lumos can retrieve the following user entitlements from Google Workspace.
Role - Determines whether the user is an Administrator or Delegated Administrator, as determined by the fields
isAdminorisDelegatedAdminin Google Workspace.Groups - The Google Workspace Groups to which the employee belongs.
Google Workspace API endpoints:
Role: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
Groups: https://developers.google.com/admin-sdk/directory/v1/guides/manage-group-members
View a user's OAuth applications
Lumos can retrieve the applications a user has signed into with their Google account via OAuth and surface them as Gsuite oauth applications.
You can filter for these types of applications or accounts using the Source column in any page where it's available.
A few notes about discovered OAuth applications:
The existence of an OAuth-discovered account for an employee does not guarantee they still have an active account in the service. You'll need to validate the employee's account status with the application admins to confirm.
Today, we do not surface the last time the OAuth token was used.
Google Workspace API endpoint: https://developers.google.com/admin-sdk/directory/reference/rest/v1/tokens/list (we use the displayText to get the app name and clientId to uniquely identify the app)
View a user's last login
In Lumos, the Last Login value represents the last time the user logged into Google Workspace.
Google Workspace API endpoint: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users (we use lastLoginTime)
Archive a user
AppStore | Offboarding | Access Reviews | License Management |
N/A | ✅ | ❌ | ✅ |
In Lumos, archiving a Google Workspace user changes their Account Status to "Suspended" during the next Google Workspace sync. (it can change to "Archived" if you would prefer, see above for details)
In Google Workspace, we log the employee out of all active sessions, then we archive their account. This assigns them an to Archived User license. More information on the implications of archiving can be found here.
This action reclaims a standard license in Google Workspace and assigns the user an Archived User license (which costs less).
Google Workspace API endpoints:
User Signout: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/signOut
Archive: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/update (we set
archivedtoTrue)
Suspend a user
AppStore | Offboarding | Access Reviews | License Management |
N/A | ✅ | ✅ | ✅ |
In Lumos, suspending a Google Workspace user marks their Account Status as "Suspended".
In Google Workspace, we first sign the user out of all their sessions, then suspend their account. Suspending an account does not delete any of the user's data, but it prevents them from logging in. A suspended account can be restored. More information on what happens when an account is suspended can be found here.
This action does not reclaim a license in Google Workspace.
Google Workspace API endpoints:
User Signout: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/signOut
Suspend: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/update (we set
suspendedtoTrue)
Deprovision a user
AppStore | Offboarding | Access Reviews | License Management |
N/A | ✅ | ✅ | ✅ |
In Lumos, deprovisioning a Google Workspace user marks their Account Status as "Deprovisioned".
In Google Workspace, this action permanently removes the user and their data. More information on the data and how it's handled can be found here. We recommend that you transfer the user's data before deprovisioning them.
This action reclaims a license in Google Workspace.
Google Workspace API endpoint: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/delete
Manage group memberships
AppStore | Offboarding | Access Reviews | License Management |
✅ | ❌ | ❌ | ✅* |
* Available only in📄 Inactivity Workflows 101
In Lumos, adding or removing a user to a Google Workspace group will update the Groups column for that account on the next Google Workspace sync (it does not update in real-time).
In Google Workspace, adding or removing a user to a Google Workspace group assigns or removes their account to the relevant group.
Google Workspace API endpoints:
Add to Group: https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/insert
Remove from Group: https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/delete
Change organizational unit
AppStore | Offboarding | Access Reviews | License Management |
N/A | ✅ | ❌ | ✅* |
* Available only in📄 Inactivity Workflows 101
In Lumos, changing a Google Workspace user's organizational unit has no impact on account data.
In Google Workspace, this action changes the user's organizational unit (OU).
Google Workspace API endpoint: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/update (we change the orgUnitPath)
Transfer data
AppStore | Offboarding | Access Reviews | License Management |
N/A | ✅ | ❌ | ✅* |
* Available only in📄 Inactivity Workflows 101
In Lumos, transferring a Google Workspace user's data to another user has no impact on data in Lumos. This can only be executed during Offboarding and Inactivity Workflows.
In Google Workspace, this action transfers the following resources from one user to another.
Google Group ownership - We add the target user to the new group as an
OWNERif they aren't already.Google Calendar ownership. The target user gets a calendar called "Transferred from <from_user_email>"
Google Drive file + folder ownership (public + private content). The target user gets ownership of private files, but ownership of shared files is not transferred.
Google Workspace API endpoints:
Group Ownership: https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/insert
Transfer Data: https://developers.google.com/admin-sdk/data-transfer/v1/transfer-data
We specify
CalendarandDrive and Docs. ForCalendar, we release resources from the old calendar.
Reroute email
AppStore | Offboarding | Access Reviews | License Management |
✅ | ✅ | N/A | ✅* |
* Available only in📄 Inactivity Workflows 101
In Lumos, transferring data has no impact on the user's account data.
In Google Workspace, this action does the following:
Sets POP and IMAP settings as invalid
Reroutes incoming email to the new user - We realias the email of the current user as ≤email>_invalid_by_lumos@yourcompany.com, create a Google Group with the email of the current user, then add the newly-created "invalid_by_lumos" email and target user's email to the new group.
Google Workspace API endpoints:
POP Settings: https://googleapis.github.io/google-api-python-client/docs/dyn/gmail_v1.users.settings.html#updatePop (the
access_windowis set todisabled)IMAP Settings: https://googleapis.github.io/google-api-python-client/docs/dyn/gmail_v1.users.settings.html#updateImap (
enabledis set tofalse)Create Group: https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups
Add Users To Group: https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/insert