# Google Workspace

<figure><img src="/files/sV6wFeTXh6I5but4jSV1" alt=""><figcaption></figcaption></figure>

Connect Google Workspace to manage groups directly from any request. Add or remove users from Google Groups in the side panel, in workflows, or via IT Agent, and feed Day-1 onboarding flows from your HRIS-driven org structure.

### What you get

* **Live directory** — Google Workspace users sync into Siit with email, name, org unit, and group memberships.
* **Group management actions** — add or remove users from Google Groups directly from request side panels, workflows, and IT Agent playbooks.
* **Audit trail** — every group change triggered from Siit is logged on the request timeline.
* **Source for onboarding and access requests** — pair Google with an HRIS to run Day-1 flows that place new hires into the right distribution lists and access groups automatically.

> **Scope note** — Siit's Google Workspace integration focuses on **directory sync and group management**. User lifecycle actions (create, suspend, delete) are not currently exposed as native Siit actions for Google Workspace — if you need those, pair Google Workspace with Okta, Entra ID, or JumpCloud, or use the IT Agent with custom webhooks.

### What syncs from Google Workspace

| Category    | Fields                                               |
| ----------- | ---------------------------------------------------- |
| Identity    | Full name, primary email, aliases, Google user ID    |
| Org context | Organizational unit, job title (if set in Directory) |
| Groups      | Group memberships, group ownership                   |

Work email (the primary Google email) is the canonical identifier.

### Actions available

* **Google → Add user to group** — add a user to a Google Group. Available in side panel, workflows, and IT Agent.
* **Google → Remove user from group** — remove a user from a Google Group. Available in side panel, workflows, and IT Agent.

Both actions can be gated behind approvals when used in workflows or IT Agent playbooks.

### Before you connect

* You'll need a **Google Workspace Super Admin** account to grant the initial OAuth consent. Consent is granted once at the workspace level.
* Decide which admin account will own the connection. The integration continues to work after individual admins change, but re-authorization requires a Super Admin.
* Choose whether Siit should have **read-only directory access**, or also **group management** scope. Without the group management scope, add/remove actions won't be available.

### Connect Google Workspace

1. In Siit, go to **Settings → Integrations**.
2. Find **Google Workspace** in the IAM section and click **Connect**.
3. You'll be redirected to Google to sign in. Sign in with a Super Admin account.
4. Review the requested OAuth scopes:
   * Read directory (users, org units, groups and memberships)
   * Optional: manage group memberships — required for add / remove actions
5. Accept the consent and you'll be redirected back to Siit.
6. Siit runs an initial import of users and groups (can take a few minutes for large workspaces).
7. Review the imported data and click **Finish setup**.

> **Tip** — If your Google Workspace has **app access control** restrictions, a Super Admin may need to explicitly allow Siit in Security → API controls → App access control → Manage third-party app access. Otherwise the OAuth flow will fail silently or with a "restricted" message.

### After the connection

* **Check your People list** — confirm users imported correctly. The count should match Directory users (excluding suspended, unless you opted to include them).
* **Scope the groups** — by default all groups are synced. In **Settings → Integrations → Google Workspace**, you can scope to specific groups or org units if you don't want the entire directory tree.
* **Try an action from a request** — open any request, and use the side panel Apps section to add/remove the requester from a Google Group.
* **Build a workflow** — a good first workflow: an access request that adds the requester to a group after manager approval.

### Sync frequency

Google Workspace data refreshes automatically every few hours. Trigger an immediate refresh from **Settings → Integrations → Google Workspace → Sync now**. Actions run on demand, immediately, when triggered from Siit.

### Common workflows

**Access request.** *Trigger: Request submitted (service = "Request group access"). Actions: manager approval → Google add to group → DM requester.*

**Day-1 onboarding (with HRIS).** *Trigger: Start date. Actions: Google add to onboarding@ group and dept-specific groups → notify manager.*

**Offboarding on end date.** *Trigger: End date. Actions: Google remove from all groups → create equipment pickup request → DM manager.*

**Project access provisioning.** *Trigger: Request submitted with form value Project = "Phoenix". Action: Google add to phoenix-team@ group.*

### Troubleshooting

**Connection fails with "app not authorized".** Super Admin hasn't allowed Siit in Google's third-party app access control. Ask a Super Admin to approve Siit in Security → API controls → App access control.

**Users missing from Siit.** Check whether suspended users are excluded — by default they are. Adjust the filter in **Settings → Integrations → Google Workspace**.

**Add to group action fails.** The OAuth scope for group management wasn't granted at install time. Re-authorize the connection and accept the group management scope.

**Group isn't visible as an option.** The group may be scoped out. Check the group scope setting in **Settings → Integrations → Google Workspace**, or ensure it's a Google Group (not a shared label or team drive).

**A user isn't in the group after the action ran.** Check the request timeline — if the action succeeded, Google may be propagating the change (some distribution groups take a minute). If it failed, the error is shown inline.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.siit.io/integrations/iam/google-workspace.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.