Google Workspace Usage Integration



Overview


Google Workspace is one of Spendflo's foundational integrations and provides a wide range of capabilities. This integration is read-only and does not have permission to affect your organization. 


Integrating Google Workspace provides many forms of visibility into your organization:

  • Visibility of the people in your organization
  • Visibility into the apps authenticated with Google Workspace


Pre-requisites


To begin the installation, you must be a Google Workspace Domain Administrator (User Admin). If someone in your organization can create Google Workspace Accounts, they are likely an administrator.


Any user must have the below permissions to integrate with Google Workspace successfully:


Category

Allows Spendflo

Scope & Permission

Admin - Directory User Security

Uncover OAuth logins & relationships to apps, including which fine-grained Google Workspace permissions they were granted.

https://www.googleapis.com/auth/admin.directory.user.security 


View and manage data access permissions for users on your domain.


We only read the user email, name, and app name. But unfortunately, Google provides the same permissions bucket for read and write.


Admin - Directory User

Allows Spendflo to enumerate all Google Workspace accounts and add them to our System of Record.

https://www.googleapis.com/auth/admin.directory.user.readonly


View access to user profile info on the domain, such as names, emails, addresses, phone numbers, and metadata, including the user's role, manager info, and last login time.


Admin - Reports



Allows Spendflo to fetch the Authorised date for all the applications/user and add them to our system records


https://www.googleapis.com/auth/admin.reports.audit.readonly

View audit reports for your G Suite domain (Only read the authorization date)



Create a dedicated Spendflo-Google Workspace Integration email account


When you connect Spendflo to your Google Workspace, the account to establish the connection needs certain user role privileges. While logging in with an existing administrator account is convenient, we recommend creating dedicated account for Spendflo to connect. 


You may want to consider a standard account name/email to use for all dedicated Spendflo connections, e.g., spendflo.serviceaccount@yourorg.com


Create a new User Role


When you create a dedicated email id like spendflo.serviceaccount@yourorg.com, you need to give the email account the necessary privileges for it to work properly; follow the steps below to assign role permissions:

  • Go to your Google Admin Dashboard and create a new user role



  • Create the Role name and description, for example Spendflo Integration



  • Search for "Organizational Units" and check the "Read" block



  • Search for "Users" and check the "Read" block



  • Search for "Groups" and check the "User Security Management" block



  • Review the permissions and create the Role




Now that the Role is created assign it to the user that you'll use for Spendflo Integration


Benefits of a dedicated Spendflo integration account on Google Workspace

  • Clarity in audit logs: Let's say you want to connect to Quickbooks. If you use your personal administrator account to connect, any actions performed by Spendflo will probably be recorded in the Quickbooks audit log as coming from your user account. Additionally, you may be using this account to integrate with other systems, too, so those actions will get assigned to your user as well. This will make proper audits difficult. You won't necessarily know which system did what or whether it was you performing the actions. From an audit perspective, it is preferable for each connecting system to have its own user account so that audit log entries can be clearly differentiated.


  • Future-proof: People change roles and sometimes leave organizations. Suppose your integrations are connecting using a specific individual's account. If they move roles, they may lose their administrative rights, or the account may be terminated completely if they leave your organization. At this point, a new person will need to reconnect the integration. Having a dedicated Spendflo account for an API connection avoids these concerns.

Installation Steps

Go to Spendflo Integrations Page


Head to the Spendflo Integrations page from Settings>Management Hub>Integrations>Available Apps and click on the Admin Install button under Google Workspace.


If the Spendflo user who is setting up Google Workspace is not the GSuite administrator, then the user can share the app URL with the admin. The admin can then do the admin install. Spendflo detects it automatically if it is installed when they reach this page.



Click Admin Install


After clicking the Admin Install button, the user will be redirected to Google's Marketplace page. A pop-up will appear, and you should click on "Continue" to proceed.




Accept App Permissions


To proceed, the user needs to accept Spendflo's Marketplace App permissions. They have the option to grant permission to either everyone in the organization or select specific groups.



If you select a specific group please note that the group should contain at least one email ID that has the administrator rights



Configure on Spendflo

  • Return to Spendflo's Integrations page and click Configure on Google Workspace in the connected apps section.
  • A pop-up will appear where you can enter the email ID of the Google account you created during the initial steps with custom role permissions.
  • Click Save. You will see a confirmation message at the bottom of the screen saying, “Integration Updated Successfully.”
  • You have now successfully set up the Google Workspace in Spendflo. You should be able to see the app usage and spend details under the Insights Page




Changes with Existing Integration Users


We have introduced a feature that allows us to extract the last authorized date from your GSuite Workspace account. To enable this functionality, an additional permission is required. No further steps are necessary for new integrations as this permission will be included during the initial setup. However, for existing integrations, you must grant permission for the newly added scope. 


Follow these steps to update the permissions:

  • Login to https://admin.google.com
  • In the left side panel click on Apps -> Google Workspace Marketplace Apps -> Apps list



  • Click on the Spendflo app from the list.
  • In the OAuth Scopes section, we see the newly added scope should be granted access




  • Click on the Grant access button. Only when the permission is granted, we start scrubbing the Authorised date.


Post Integration Steps




  • Click Configure button and enter the email address




Uninstalling Google Workspace


If you wish to uninstall the Google Workspace integration with Spendflo, please follow the steps.

  • Go to your Google Workspace admin>marketplace https://admin.google.com/ac/apps/gmail/marketplace/apps
  • Click on the app “Spendflo” in the table Google Workspace Marketplace apps.
  • Click on Uninstall app and then click again on Uninstall in the pop-up.
  • The app will be uninstalled


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article