# Google Workspace Integration Setup
### Getting Started
There are two kinds of information that can be pulled from Google Workspace into BalkanID - namely HRIS data (using Google as a HRIS source of truth) and Entitlement data (who has access to what, etc). The following setup applies to both.
By default, typically Google Workspace integration may be setup in your tenant in such a way that it pulls in just entitlement data. To start using Google as an HRIS source of truth, please contact and we will enable that.
BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.
#### Requirements:
* ***Domain***
* ***Super-Admin Email***
* ***Service Account***
#### Getting the configuration
**Granting Access to BalkanID**
1. This step is only needed if you would like to create a new project instead of using an existing project for the integration.
1. Create a project ().
2. You should be able to walk through the wizard after clicking **Create Project** from the [*Manage Resources*](https://console.cloud.google.com/cloud-resource-manager) section of the console. You will specify a *project name* and select an *organization.*
2. Enabling required APIs for the project that you will be using
1. Go to *Google Cloud* → *APIs and service* → *Enabled APIs and services*, search for the required APIs and enable it.
2. Search and enable the following APIs
```
Cloud Identity API
```
3. Create a service account in project created in the previous step ()
* You should be able to walk through the wizard after clicking “[*Create Service Account*](https://console.cloud.google.com/iam-admin/serviceaccounts)” from the ‘*Service Accounts*’ section of the console. You will specify a service account name, and the rest of the fields will auto-fill based on that. You can just hit **Create and Continue**. You will not need to specify any of the optional steps listed on the wizard. This step is only needed if you would like to create a new service account instead of using an existing service account for the integration.
* Copy and save the *OAuth 2* C*lient ID* as well as the *service account email address* from the main service accounts listing page (the items under the columns underlined in red below).
4. Upload existing key to the service account
* Click *Add New* > *Upload Existing Key.*
* Use the certificate received from BalkanID.
* Remember to save the email address of the service account to enter into the configuration for BalkanID from the service account listing page as stated in the previous section.
5. Enable Admin SDK API ()
* Click **Enable.**
6. Delegate domain access ()
* Click **Add New.**
* Enter the *OAuth 2 Client ID* created in the previous step.
* Add the following OAuth Scopes:
```
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.user.security,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
```
* For additional details refer to
*
*
### Configuring Google Workspace in your BalkanID tenant
1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.
2. Head to *Integrations* > **Add Integration**, select **Google Workspace.**
3. Set up the *Primary Application owner (mandatory)* and the *Description*, if any. Set up Secondary Application Owner(s), if any.
Select the Extraction Type. From here, you can configure your application using one of the following methods:
1. **Direct integration** - Provide your Google Domain, Super-Admin Email and Service Account Email obtained above to set up a direct connection with BalkanID.
2. **SCIM integration** - Provide SCIM server credentials to set up a SCIM connection with BalkanID.
3. **Manual file upload** - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this.
4. **Automated upload using API -** You can upload data using our [Bulk APIs](https://developer.balkan.id/) with the help of an API key which will be provided to you. Please refer to the [entity](https://developer.balkan.id/bulk-entities-upload-api-early-access-12828095e0) and [entity relation](https://developer.balkan.id/bulk-entity-relations-upload-api-early-access-12828102e0) upload docs for specific instructions on uploading your data through the API.
4. Click on next to move onto *Optional Configuration.*
5. Fill **Optional configuration,** if required.
6. Once you filled in the information, click **Save**. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the *Integrations* page. When data is available, the integration Status will read **Connected** and the integration Message will read **Data available**.
### Integration Scopes
| **Read Only (Access Review) Scopes** | **Lifecycle Management Scopes** |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
| `https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly` | `https://www.googleapis.com/auth/admin.directory.rolemanagement` |
#### Google Certificate
{% file src="/files/fK81mqxb3mSDSs6A7I1H" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.balkan.id/getting-started/setting-up-your-tenant/application-integrations/direct-application-integration/google-workspace-integration-setup.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.