Installing the Management Agent
PreviousCreating and authorizing a Google Workspace service accountNextManaging organizational units
Last updated
Last updated
After [[creating and authorizing a Google Workspace service account]], you can install the management agent. Download the latest version from the releases and run the installer on the server that has the FIM synchronization service installed.
Once the management agent has been installed, you may need to restart the FIM Synchronization Service Client application if you do not see the Google Apps (Lithnet) management agent type listed.
Customer ID
If you want to manage a specific customer ID, you can provide that here, otherwise use my_customer, which defaults to the customer ID of the provided service account
Primary domain
Enter the primary domain name for the Google Workspace instance
Service account email address
The service account address obtained during the [[creating and authorizing a Google Workspace service account]] process
User email address
The actual email address of the user account in the domain with administrative rights
Key file
The P12 file obtained during the [[creating and authorizing a Google Workspace service account]] process
Key file password
The password to the P12 file
Log file path
A path where the management agent operation and password change logs will be written
The Google Workspace API data structures present some challenges when it comes to integrating with FIM. Certain data types form complex arrays that are difficult to present in a flat directory structure. The management handles this by requiring you to declare up front what types of those complex fields you want to manage.
For example, Google Workspace allows you to have multiple 'organizations' per user. Each organization has a set of values that you can set (see the api documentation for full details)
The management agent allows you to specify the 'type' of organizations you want to expose. For example, if you provide the type 'work', the management agent will make the following attributes available
You can add as many other types to the list as you like. One limitation of the MA is that you can only have one of each type. E.g you cannot have more than one 'work' type or organization.
If you declare phone numbers with a 'work', 'home' and 'mobile' type, the following attributes would be available in the MA
If no types are specified for a field, then no attributes will be available in the MA for that type. For example, in the image below, there are no types set for 'IM Address', therefore, no IM Address attributes will be present in the MA.
You can choose to have the MA render certain attributes as either reference attributes, or string values. You should normally use reference attributes to enforce strong referential integrity between objects, but in certain cases, you may prefer to deal with these attributes as strings. If you choose to render these attributes as strings, FIM can no longer maintain referential integrity and you will have to deal with this manually.
The MA supports creating custom classes of user objects. These are presented to FIM as discreet object types, while in the Google directory, they are all standard user objects. In order to take advantage of custom classes, you must deploy a new custom schema in google called LithnetGoogleAppsMA and it must have a single-valued STRING attribute named objectType. Once this has been created, a text box will appear on this screen giving you the option to list the object types you want to manage.
Enabling advanced user attributes enables managing delegate and send-as settings, however this can significantly slow down the speed of full imports. A separate API call must be made for every user during the import process for each of these selected attributes.
Make new SendAs addresses default - Check this option to make set the Default flag for newly created send-as addresses. It will not affect already added send-as addresses.
The MA allows you to define regular expression filters that apply to email addresses of groups, users, and contacts being imported. Only objects with addresses that match the filter will be imported.
To include all objects, leave these fields blank.
Optionally you can choose to exclude groups that are user-created from being seen by the MA.
You can specify a filter to restrict your user search to certain OUs within Google Workspace. Refer to Google's API documentation for more information
Google groups allows different levels of membership being a MEMBER, MANAGER, or OWNER. When this setting is disabled, a user will appear in only of the member, manager, or owner attributes. When enabled, users with the MANAGER role will appear in both the member and manager attribute list, and users with the OWNER role will appear in the member, manager, and owner lists.
If you enable this setting, users will receive an email notification from Google when they are added to a calendar. If it is not selected, users are granted access to calendar resources without notification from Google.
Contact objects require a prefix on their email address to ensure that they don't conflict with a real user or group in the directory. You can customize this prefix, but in most cases, its ok to leave it as the default of custom
Skipping import of students and teachers on ARCHIVED Courses can speed up import if you have many Archived course objects.
