This article explains how to set up a limited sync.
Note: To create a limited sync setup, you must be a Google Admin or have permission to modify user access and permissions.
Introduction
To create a limited sync setup, you must already have a Happeo account or trial account. If you have not signed up for your own Happeo account, please go to app.happeo.com/signup to create your Happeo account.
Note: Only one account can be integrated with a single Google Workspace and therefore you will need to double-check that another member of your organization has not already created a Happeo account.
Users placed at the Organizational Unit (OU) root level cannot be synced to Happeo if a limited sync is created and therefore we don’t recommend placing users at the root level.
If users at the root level cannot be moved to a nested OU, then we recommend setting up a full sync.
Create a dedicated Sync Account user
Prior to setting up the Google Workspace Integration with a limited sync, we recommend creating a new dedicated Google user for the purpose of syncing your Google Workspace users and groups with Happeo.
If a dedicated Google user cannot be created for the purpose of your Happeo sync account, an existing user can be assigned as the sync account user. However, it’s recommended that the user be a Super Admin in Google for Happeo to see all OUs and Groups.
Note: This would not be considered a limited sync and therefore all OUs will be visible in Happeo.
Keep in mind, if for some reason the assigned sync account user is suspended or deleted, the sync between your Google Workspace and Happeo will be broken.
For this reason, we recommend creating a dedicated user for your sync account, which will reduce the chance of the sync account user being suspended or deleted due to termination or a change in employment.
To create a new user in your organization, you can:
- Go to the Google Workspace Admin Panel (admin.google.com)
- Click Directory
- Click Users
Then, you can:
- Click Add new user in the top-center panel above your list of users
- Add a unique user’s First and Last name. For example:
- First Name – Happeo
- Last Name – Sync
- Add a primary email address that also complies with your internal system account email standards. For example
- Add the sync account user to an OU that will be later set to sync to Happeo
Note: Save the newly created sync account user's Gmail password. This is because you will need to log into Gmail as this user to accept an invite email that will be sent later in the setup process.
Change the sync account’s Organizational Unit
If you wish to change the OU you set the sync account to, you can:
- Search for the sync account in the search bar
- Scroll down the left-hand profile panel
- Click Change OU
- Make the necessary changes
- Click Continue
- Click Change
Note: This change may take up to 24 hours to take effect.
Create and assign admin roles
You will need to create two custom admin roles for the sync account in your Google Workspace. Then, the roles will be assigned to your newly created system account user.
- The first custom admin role is responsible for synchronizing users with Happeo
- The second custom admin role will be responsible for synchronizing groups with Happeo
Create the user sync admin role
First, you will need to create the user sync admin role. To do so, you can:
- Navigate to Account from the left-hand panel
- Select Admin roles
Then, you can:
- Click Create new role
- Name the role. For example:
- Happeo limited user sync
- (Optional) Add a description
- Click Continue
Then, you will need to:
- Add a check to the following Admin Console privileges:
- Organizational Units – Read
- Users – Read
- Click Continue once you’re done.
- Review the Admin privileges and click Create role
Note: When you specify Admin privileges in the Admin console, you also grant the corresponding Admin API resource privileges. Click here to learn more.
When you’re viewing the new role you created after clicking Create role, you can:
- Click Assign users from the right-hand panel at the top
- Search for the newly created sync account user
- Select the appropriate OU listed in the “Organizational Unit” column to which the sync account has been assigned and click Done
- In the example below, the sync account user has been added to the sub-OU of Service Accounts
Once you’re done, you can click Assign role.
The sync account user access is now limited to only sync users within the one OU that has been granted in this newly created role.
Repeat this admin assignment for each OU that was not part of the previous one.
Note: If access is granted at the root level, the sync is no longer a limited sync, and therefore a full sync is established. Synchronization, however, can be limited via the Happeo Admin Settings > User Management > Google Workspace tab.
For more information, please refer to this article.
Note: For the initial install of the Happeo Marketplace app and the initial sync setup in Happeo, the OU that the sync account user is in must be within the scope of the sync. However, after that, the OU that the sync account user is in does not need to be within scope. To prevent the disruption of the sync between Happeo and your Google Workspace, the OU that the sync account user is in must still have the Google Marketplace Happeo app enabled.
Create the group sync admin role
The second role you will create is responsible for the synchronization of your groups with Happeo. Creating a group sync admin role is fairly similar to creating a user sync admin role. To get started, you can:
- Navigate to Account from the left-hand panel
- Select Admin roles
- Click Create new role
- Name the role. For example:
- Happeo Group Sync
- (Optional) Add a description
- Click Continue
- Add a check to the following Admin Console privileges:
- Groups – Read
- Schema Management – Read
- Click Continue once you’re done
- Review the Admin privileges and click Create role
- Click Continue
Note: When you specify Admin privileges in the Admin console, you also grant the corresponding Admin API resource privileges. Click here to learn more.
When you’re viewing the new role you created after clicking Create role, you can:
- Click Assign users from the right-hand panel at the top
- Search for the newly created sync account user
Note: The group sync role will sync all groups. Notice when creating this role that you cannot change the default OU and this is because groups are not assigned to an OU and the Happeo Group sync cannot be limited like the user sync.
You have now created a sync account user with limited access to only a sub-select of your OUs. This newly created user can now be used for data synchronization from your Google Workspace to Happeo.
The next step of the setup process is to install the Google Integration in your Happeo account and set up the Google synchronization and assign this limited sync user as the sync account in Happeo. Please refer to the following article to complete this next step of the setup process.
Troubleshooting
Error when creating a new user role
To solve this issue, please confirm that the naming is unique and no other role exists with the same name.
Comments
0 comments
Please sign in to leave a comment.