Overview
Google Workspace is one of Spendflo's foundational integrations and provides a wide range of capabilities. This integration is read-only and does not have permission to affect your organization.
Integrating Google Workspace provides many forms of visibility into your organization:
- Visibility of the people in your organization
- Visibility into the apps authenticated with Google Workspace
Pre-requisites
To begin the installation, you must be a Google Workspace Domain Administrator (User Admin). If someone in your organization can create Google Workspace Accounts, they are likely an administrator.
Any user must have the below permissions to integrate with Google Workspace successfully:
Category | Allows Spendflo | Scope & Permission |
Admin - Directory User Security | Uncover OAuth logins & relationships to apps, including which fine-grained Google Workspace permissions they were granted. | https://www.googleapis.com/auth/admin.directory.user.security View and manage data access permissions for users on your domain. We only read the user email, name, and app name. But unfortunately, Google provides the same permissions bucket for read and write. |
Admin - Directory User | Allows Spendflo to enumerate all Google Workspace accounts and add them to our System of Record. | https://www.googleapis.com/auth/admin.directory.user.readonly View access to user profile info on the domain, such as names, emails, addresses, phone numbers, and metadata, including the user's role, manager info, and last login time. |
Admin - Reports | Allows Spendflo to fetch the Authorised date for all the applications/user and add them to our system records | https://www.googleapis.com/auth/admin.reports.audit.readonly |
Create a dedicated Spendflo-Google Workspace Integration email account
When you connect Spendflo to your Google Workspace, the account to establish the connection needs certain user role privileges. While logging in with an existing administrator account is convenient, we recommend creating dedicated account for Spendflo to connect.
You may want to consider a standard account name/email to use for all dedicated Spendflo connections, e.g., spendflo.serviceaccount@yourorg.com
Create a new User Role
When you create a dedicated email id like spendflo.serviceaccount@yourorg.com, you need to give the email account the necessary privileges for it to work properly; follow the steps below to assign role permissions:
- Go to your Google Admin Dashboard and create a new user role
- Create the Role name and description, for example Spendflo Integration
- Search for "Organizational Units" and check the "Read" block
- Search for "Users" and check the "Read" block
- Search for "Groups" and check the "User Security Management" block
- Review the permissions and create the Role
Now that the Role is created assign it to the user that you'll use for Spendflo Integration
Benefits of a dedicated Spendflo integration account on Google Workspace
- Clarity in audit logs: Let's say you want to connect to Quickbooks. If you use your personal administrator account to connect, any actions performed by Spendflo will probably be recorded in the Quickbooks audit log as coming from your user account. Additionally, you may be using this account to integrate with other systems, too, so those actions will get assigned to your user as well. This will make proper audits difficult. You won't necessarily know which system did what or whether it was you performing the actions. From an audit perspective, it is preferable for each connecting system to have its own user account so that audit log entries can be clearly differentiated.
- Future-proof: People change roles and sometimes leave organizations. Suppose your integrations are connecting using a specific individual's account. If they move roles, they may lose their administrative rights, or the account may be terminated completely if they leave your organization. At this point, a new person will need to reconnect the integration. Having a dedicated Spendflo account for an API connection avoids these concerns.
Installation Steps
Go to Spendflo Integrations Page
Head to the Spendflo Integrations page from Settings>Management Hub>Integrations>Available Apps and click on the Admin Install button under Google Workspace.
If the Spendflo user who is setting up Google Workspace is not the GSuite administrator, then the user can share the app URL with the admin. The admin can then do the admin install. Spendflo detects it automatically if it is installed when they reach this page.
Click Admin Install
After clicking the Admin Install button, the user will be redirected to Google's Marketplace page. A pop-up will appear, and you should click on "Continue" to proceed.
Accept App Permissions
To proceed, the user needs to accept Spendflo's Marketplace App permissions. They have the option to grant permission to either everyone in the organization or select specific groups.
If you select a specific group please note that the group should contain at least one email ID that has the administrator rights
Configure on Spendflo
- Return to Spendflo's Integrations page and click Configure on Google Workspace in the connected apps section.
- A pop-up will appear where you can enter the email ID of the Google account you created during the initial steps with custom role permissions.
- Click Save. You will see a confirmation message at the bottom of the screen saying, “Integration Updated Successfully.”
- You have now successfully set up the Google Workspace in Spendflo. You should be able to see the app usage and spend details under the Insights Page
Changes with Existing Integration Users
We have introduced a feature that allows us to extract the last authorized date from your GSuite Workspace account. To enable this functionality, an additional permission is required. No further steps are necessary for new integrations as this permission will be included during the initial setup. However, for existing integrations, you must grant permission for the newly added scope.
Follow these steps to update the permissions:
- Login to https://admin.google.com
- In the left side panel click on Apps -> Google Workspace Marketplace Apps -> Apps list
- Click on the Spendflo app from the list.
- In the OAuth Scopes section, we see the newly added scope should be granted access
- Click on the Grant access button. Only when the permission is granted, we start scrubbing the Authorised date.
Post Integration Steps
- Click Configure button and enter the email address
Uninstalling Google Workspace
If you wish to uninstall the Google Workspace integration with Spendflo, please follow the steps.
- Go to your Google Workspace admin>marketplace https://admin.google.com/ac/apps/gmail/marketplace/apps
- Click on the app “Spendflo” in the table Google Workspace Marketplace apps.
- Click on Uninstall app and then click again on Uninstall in the pop-up.
- The app will be uninstalled
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article