After [[creating and authorizing a Google Workspace service account]], you can install the management agent. Download the latest version from the releases and run the installer on the server that has the FIM synchronization service installed.

Create Management Agent

Once the management agent has been installed, you may need to restart the FIM Synchronization Service Client application if you do not see the Google Apps (Lithnet) management agent type listed.

Connectivity

Schema

Fixed data types

The Google Workspace API data structures present some challenges when it comes to integrating with FIM. Certain data types form complex arrays that are difficult to present in a flat directory structure. The management handles this by requiring you to declare up front what types of those complex fields you want to manage.

For example, Google Workspace allows you to have multiple 'organizations' per user. Each organization has a set of values that you can set (see the api documentation for full details)

"organizations": [
    {
      "name": string,
      "title": string,
      "department": string,
      "symbol": string,
      "location": string,
      "description": string,
      "domain": string,
      "costCenter": string
    }
  ],

The management agent allows you to specify the 'type' of organizations you want to expose. For example, if you provide the type 'work', the management agent will make the following attributes available

organizations_work_name
organizations_work_title
organizations_work_department
organizations_work_symbol
organizations_work_location
organizations_work_domain
organizations_work_costCenter

You can add as many other types to the list as you like. One limitation of the MA is that you can only have one of each type. E.g you cannot have more than one 'work' type or organization.

If you declare phone numbers with a 'work', 'home' and 'mobile' type, the following attributes would be available in the MA

phones_work
phones_home
phones_mobile

If no types are specified for a field, then no attributes will be available in the MA for that type. For example, in the image below, there are no types set for 'IM Address', therefore, no IM Address attributes will be present in the MA.

Reference attribute types

You can choose to have the MA render certain attributes as either reference attributes, or string values. You should normally use reference attributes to enforce strong referential integrity between objects, but in certain cases, you may prefer to deal with these attributes as strings. If you choose to render these attributes as strings, FIM can no longer maintain referential integrity and you will have to deal with this manually.

Custom schema

The MA supports creating custom classes of user objects. These are presented to FIM as discreet object types, while in the Google directory, they are all standard user objects. In order to take advantage of custom classes, you must deploy a new custom schema in google called LithnetGoogleAppsMA and it must have a single-valued STRING attribute named objectType. Once this has been created, a text box will appear on this screen giving you the option to list the object types you want to manage.

Advanced user attributes

Enabling advanced user attributes enables managing delegate and send-as settings, however this can significantly slow down the speed of full imports. A separate API call must be made for every user during the import process for each of these selected attributes.

Make new SendAs addresses default - Check this option to make set the Default flag for newly created send-as addresses. It will not affect already added send-as addresses.

Global Parameters

Object filters

The MA allows you to define regular expression filters that apply to email addresses of groups, users, and contacts being imported. Only objects with addresses that match the filter will be imported.

To include all objects, leave these fields blank.

Optionally you can choose to exclude groups that are user-created from being seen by the MA.

User filtering

You can specify a filter to restrict your user search to certain OUs within Google Workspace. Refer to Google's API documentation for more information

Inherit group roles

Google groups allows different levels of membership being a MEMBER, MANAGER, or OWNER. When this setting is disabled, a user will appear in only of the member, manager, or owner attributes. When enabled, users with the MANAGER role will appear in both the member and manager attribute list, and users with the OWNER role will appear in the member, manager, and owner lists.

Calendar permission change notifications

If you enable this setting, users will receive an email notification from Google when they are added to a calendar. If it is not selected, users are granted access to calendar resources without notification from Google.

Contact DN prefix

Contact objects require a prefix on their email address to ensure that they don't conflict with a real user or group in the directory. You can customize this prefix, but in most cases, its ok to leave it as the default of custom

Skip Member import on ARCHIVED Courses

Skipping import of students and teachers on ARCHIVED Courses can speed up import if you have many Archived course objects.