This integration allows you to manage user memberships with Google Groups. You can setup access management through Opal to Google Groups in minutes.
Create a Google Groups connection
To get started, head to the Connections page and click on the Google Groups tile.
Click on the Google Groups tile to get started.
Opal requires multiple credentials in order to manage your Google groups.
Step 1 - Configure a service account for Opal
In order for Opal to manage your Google groups on your behalf, we'll need you to create a service account with proper permission scopes.
Open the Service accounts page. If prompted, select a project.
Click + Create Service Account. Enter a name and description for the service account. When done click Create.
The Service account permissions section that follows is not required. Click Continue.
On the Grant users access to this service account screen, click Done.
Select the new service account.
Click the Keys tab.
Click the Add key drop-down menu, then select Create new key.
Select JSON as the Key type and click Create.
Your new public/private key pair is generated and downloaded to your machine.
Click Close on the Private key saved to your computer dialog, then return to the table of your service accounts.
We then need to enable G Suite domain-wide delegation with the following steps:
Locate the newly-created service account in the table. Under Actions, click Manage details.
In the service account details, click Show domain-wide delegation, then ensure the Enable G Suite Domain-wide Delegation checkbox is checked.
If you haven't yet configured your app's OAuth consent, you must do so before you can enable domain-wide delegation. Follow the on-screen instructions to configure the OAuth consent screen, then repeat the above steps and re-check the checkbox.
Click Save to update the service account, and return to the table of service accounts. A new column, Domain-wide delegation, can be seen. Click View Client ID to obtain and make a note of the client ID.
Delegate domain-wide authority to your service account:
To access user data on a Google Workspace domain, the service account that you created needs to be granted access by a super administrator for the domain. To delegate domain-wide authority to a service account, follow those steps:
From your Google Workspace domain's Admin console, go to Main menu > Security > API controls.
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the client ID obtained from the service account creation steps above.
In the OAuth Scopes field, enter the following scope:
Your service account now has domain-wide access to the Google Admin Directory API for all the users of your domain with admin access.
Step 2 - Turn on the Google Admin API
Go to the Google Admin API overview in Google Cloud.
Click Enable API.
Step 3 - Create Opal group
Create a Google group called Opal. This group can be used later to automatically import groups into Opal by adding them as members of this group.
Step 4 - Fill out Opal Connections form
Back in the Connections form, fill in details about your Google Groups service account:
For Opal group email, you should enter the email of the Google group created above.
For Google Workspace admin email, you should enter the email of someone in your organization with admin privileges.
Then click to upload the downloaded JSON file for the created service account.
If this step is successful, you have completed setting up the Google Groups server connection.
Step 5 - Manually import Google groups
Click on Groups in the left sidebar.
In the top right, click on the + (Plus) button, then Import groups.
Select your Google Groups connection
Then select which groups you'd like to import
As mentioned above, if you'd like to automatically import groups into Opal, you can simply create them as members of the Opal group you created above.
❗️Enable Opal for access management
If you want to use Opal to manage access to Google groups, you will need to enable the Manage resources and groups from Opal in the Admin page. You can read more about how to do that here.