Table of contents

This article explains how to set up a limited sync.

Note: To create a limited sync setup, you must be a Google Admin or have permission to modify user access and permissions.

Introduction

To create a limited sync setup, you must already have a Happeo account or trial account. If you have not signed up for your own Happeo account, please go to app.happeo.com/signup to create your Happeo account.

Note: Only one account can be integrated with a single Google Workspace and therefore you will need to double-check that another member of your organization has not already created a Happeo account.

Users placed at the Organizational Unit (OU) root level cannot be synced to Happeo if a limited sync is created and therefore we don’t recommend placing users at the root level

If users at the root level cannot be moved to a nested OU, then we recommend setting up a full sync

 

Create a dedicated Sync Account user

Prior to setting up the Google Workspace Integration with a limited sync, we recommend creating a new dedicated Google user for the purpose of syncing your Google Workspace users and groups with Happeo

If a dedicated Google user cannot be created for the purpose of your Happeo sync account, an existing user can be assigned as the sync account user. However, it’s recommended that the user be a Super Admin in Google for Happeo to see all OUs and Groups. 

Note: This would not be considered a limited sync and therefore all OUs will be visible in Happeo.

Keep in mind, if for some reason the assigned sync account user is suspended or deleted, the sync between your Google Workspace and Happeo will be broken

For this reason, we recommend creating a dedicated user for your sync account, which will reduce the chance of the sync account user being suspended or deleted due to termination or a change in employment.

To create a new user in your organization, you can:

  1. Go to the Google Workspace Admin Panel (admin.google.com)
  2. Click Directory
  3. Click Users

Modify_Google_Workspace_Integration_Sync_Scope_1.png

Then, you can:

  1. Click Add new user in the top-center panel above your list of users
  2. Add a unique user’s First and Last name. For example:
    1. First Name – Happeo
    2. Last Name – Sync
  3. Add a primary email address that also complies with your internal system account email standards. For example
    1. happeo.sync@yourdomain.com
    2. happeosync@yourdomain.com
  4. Add the sync account user to an OU that will be later set to sync to Happeo

Happeo_Google_Workspace_Installation___Limited_Sync_Setup_1.png

Note: Save the newly created sync account user's Gmail password. This is because you will need to log into Gmail as this user to accept an invite email that will be sent later in the setup process. 

Change the sync account’s Organizational Unit

If you wish to change the OU you set the sync account to, you can:

  1. Search for the sync account in the search bar
  2. Scroll down the left-hand profile panel
  3. Click Change OU
  4. Make the necessary changes
  5. Click Continue
  6. Click Change

Note: This change may take up to 24 hours to take effect.

Create and assign admin roles

You will need to create two custom admin roles for the sync account in your Google Workspace. Then, the roles will be assigned to your newly created system account user. 

  • The first custom admin role is responsible for synchronizing users with Happeo
  • The second custom admin role will be responsible for synchronizing groups with Happeo

Create the user sync admin role

First, you will need to create the user sync admin role. To do so, you can:

  1. Navigate to Account from the left-hand panel
  2. Select Admin roles

Happeo_Google_Workspace_Installation___Limited_Sync_Setup_2.png

Then, you can:

  1. Click Create new role
  2. Name the role. For example:
    1. Happeo limited user sync
  3. (Optional) Add a description
  4. Click Continue

Happeo_Google_Workspace_Installation___Limited_Sync_Setup_3.png

Then, you will need to:

  1. Add a check to the following Admin Console privileges
    1. Organizational Units – Read
    2. Users – Read
  2. Click Continue once you’re done.
  3. Review the Admin privileges and click Create role

Note: When you specify Admin privileges in the Admin console, you also grant the corresponding Admin API resource privileges. Click here to learn more.

Happeo_Google_Workspace_Installation___Limited_Sync_Setup_4.png

When you’re viewing the new role you created after clicking Create role, you can:

  1. Click Assign users from the right-hand panel at the top
  2. Search for the newly created sync account user
  3. Select the appropriate OU listed in the “Organizational Unit” column to which the sync account has been assigned and click Done
    1. In the example below, the sync account user has been added to the sub-OU of Service Accounts

Happeo_Google_Workspace_Installation___Limited_Sync_Setup_5.png

Once you’re done, you can click Assign role.

The sync account user access is now limited to only sync users within the one OU that has been granted in this newly created role. 

Repeat this admin assignment for each OU that was not part of the previous one.

Note: If access is granted at the root level, the sync is no longer a limited sync, and therefore a full sync is established. Synchronization, however, can be limited via the Happeo Admin Settings > User Management > Google Workspace tab. 

For more information, please refer to this article.

Note: For the initial install of the Happeo Marketplace app and the initial sync setup in Happeo, the OU that the sync account user is in must be within the scope of the sync. However, after that, the OU that the sync account user is in does not need to be within scope. To prevent the disruption of the sync between Happeo and your Google Workspace, the OU that the sync account user is in must still have the Google Marketplace Happeo app enabled.

Create the group sync admin role

The second role you will create is responsible for the synchronization of your groups with Happeo. Creating a group sync admin role is fairly similar to creating a user sync admin role. To get started, you can:

  1. Navigate to Account from the left-hand panel
  2. Select Admin roles
  3. Click Create new role
  4. Name the role. For example:
    1. Happeo Group Sync
  5. (Optional) Add a description
  6. Click Continue
  7. Add a check to the following Admin Console privileges
    1. Groups – Read
    2. Schema Management Read
  8. Click Continue once you’re done
  9. Review the Admin privileges and click Create role
  10. Click Continue

Note: When you specify Admin privileges in the Admin console, you also grant the corresponding Admin API resource privileges. Click here to learn more.

Happeo_Google_Workspace_Installation___Limited_Sync_Setup_6.png

When you’re viewing the new role you created after clicking Create role, you can:

  1. Click Assign users from the right-hand panel at the top
  2. Search for the newly created sync account user

Note: The group sync role will sync all groups. Notice when creating this role that you cannot change the default OU and this is because groups are not assigned to an OU and the Happeo Group sync cannot be limited like the user sync.

You have now created a sync account user with limited access to only a sub-select of your OUs. This newly created user can now be used for data synchronization from your Google Workspace to Happeo. 

The next step of the setup process is to install the Google Integration in your Happeo account and set up the Google synchronization and assign this limited sync user as the sync account in Happeo. Please refer to the following article to complete this next step of the setup process.

Troubleshooting

Error when creating a new user role

To solve this issue, please confirm that the naming is unique and no other role exists with the same name.

Previous
Next
12578600981265
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.