Enterprise Connect - Restricting access to Google Service Accounts

How to configure Google Service accounts with restricted user access

Google’s marketplace applications can be configured to restrict access to a subset of users and resources. This is configured using based upon Organizational Units.

For more information see Google's documentation on configuration https://support.google.com/a/answer/172931 and https://support.google.com/a/answer/4352075  for an overview on organization structures within G-Suite.

In this example we can create an Organizational Unit named “Resource” as a child resource of our root domain:

https://support.google.com/a/answer/182537

EC_Google_Account_1

In order to authorize the application to use the Organizational Unit a user must be created within this Organizational Unit.

EC_Google_Account_2

This user must be configured to allow access to the Admin SDK’s (specifically read access to Organizational Units and Users) – this again can be restricted to just allowing access to the Organizational Unit we created.

EC_Google_Account_3

At this stage the Cronofy application should be installed for the domain.

https://chrome.google.com/webstore/detail/cronofy/addpjfjiamildabdcppfadfmiloppkhl

After installing the Cronofy Application at the root domain level we can restrict access - blocking access to all users outside of the Organizational Unit:

https://admin.google.com/ac/settings/serviceonoff?aid=902414518019

EC_Google_Account_4

And configure overridden access to our Organizational Unit to allow access to the application:

EC_Google_Account_5

Cronofy will still make user of Domain wide Delegation but be sandboxed within the Organizational Unit. When authorizing the Google Service Account with Cronofy the newly created user must be used when linking.

After this has been completed any user accounts which should be accessed should be placed within the Organizational Unit in order to allow access. By default, all resources will be accessible and so can be linked.