Enterprise Connect - Restricting access to Google Service Accounts

How to configure Google Service accounts with restricted user access

Google’s marketplace applications can be configured to restrict access to a subset of users and resources. This is configured using based upon Organizational Units.

For more information see Google's documentation on configuration https://support.google.com/a/answer/172931 and https://support.google.com/a/answer/4352075  for an overview on organization structures within G-Suite.

In this example we can create an Organizational Unit named “Resource” as a child resource of our root domain:



In order to authorize the application to use the Organizational Unit a user must be created within this Organizational Unit.


This user must be configured to allow access to the Admin SDK’s (specifically read access to Organizational Units and Users) – this again can be restricted to just allowing access to the Organizational Unit we created.


At this stage the Cronofy application should be installed for the domain.


After installing the Cronofy Application at the root domain level we can restrict access - blocking access to all users outside of the Organizational Unit:



And configure overridden access to our Organizational Unit to allow access to the application:


Cronofy will still make user of Domain wide Delegation but be sandboxed within the Organizational Unit. When authorizing the Google Service Account with Cronofy the newly created user must be used when linking.

After this has been completed any user accounts which should be accessed should be placed within the Organizational Unit in order to allow access. By default, all resources will be accessible and so can be linked.