Managing organizational units
If you have purchased the organizational units add-on, you can manage organizational units with this connector. Google workspace uses organizational units to apply different sets of policies to different users. You can assign users to org units without the add-on, using the orgUnitPath string attribute, however these org units need to exist already in the Google Workspace environment. The add-on allows you to dynamically create, update, and delete organization units, and introduces a new reference attribute on the user object called orgUnit. This ensures users don't get dropped from org units upon renames, and ensures referential integrity when provisioning new objects.
Object class
Once the add on has been activated, a new object class called orgUnit will appear in the Management Agent object type selection screen. Org units can then be added, modified, and deleted using the management agent.
Attributes
| Attribute name | Data type | Import/Export | Notes |
|---|---|---|---|
| boolean | import/export | Set a value that indicates if the org unit should have its inheritance blocked |
| string | import/export | The description of the org unit |
| string | import | The display name of the org unit. This value is read only. To rename the org unit, perform a DN rename operation |
| string | import | The unique ID of the org unit as assigned by Google. This value is read only. |
| string | import | The unique ID of the parent of this org unit as assigned by Google. This value is read only. |
| string | import | The path of the parent org unit. This value is read only. To move an org unit or change its parent, perform a DN rename operation |
DN format and rename operations
The DN of the org unit object matches the representation of the full path of the org unit. All org unit object DNs must start with a forward slash (/).
A top level org unit called "Lithnet" would have a DN of /Lithnet. A child of the Lithnet org unit would be /Lithnet/Users
Note, that you must create all org units in the structure (or import them from Google Workspace). For example, if you want to create an org unit called /Lithnet/Users, you must also provision an org unit called /Lithnet. If you do not, Google will return a 'parent not found' exception.
To rename an org unit, simply perform a DN rename operation.
To move an org unit from one parent to another, perform a DN rename operation. Again, all parent org units must exist for a rename operation to be successful.
The management agent will do its best to ensure the hierarchy is created in the correct order, but as MIM control the order of object export, issues where a child is provisioned before a parent may occur. However, these should correct automatically on the next export run.
User orgUnit attributes
orgUnit attributesWithout the org unit add-on, assigning users to org units is performed by simply providing a string value to the orgUnitPath property on the user object.
When the org unit add-on is enabled, a new attribute called orgUnit becomes available for selection on the user object. This is a reference attribute, and allows you to reference an org unit object. Using a reference attribute ensures that MIM understands the relationship between the user and the org unit, and can gracefully handle renames and relocations of users within org units.
To assign a user to the top-level organizational unit (/), just leave the orgUnit null, or delete the existing value.
Purchasing the organizational units add-on
We are more than happy to provide 30-day trial licenses on request. Please contact the team at support@lithnet.io for all trial and purchasing enquiries.
Last updated