G Suite User Account Provisioning
G Suite user account provisioning is the process of creating and maintaining user objects and user attributes within the G Suite user directory. For an organization, a user object typically represents an employee or other third-party (such as a contractor, vendor, or partner) who is given a set of credentials providing authorized access to the organization’s G Suite resources. These user profiles are stored in the G Suite directory, which is administered through the G Suite Admin console.
Assigning attributes to a user’s account allows for various identifying information to be assigned to the user, such as contact information that can be published in a searchable directory, and also allows for control over that user’s access to the various components of G Suite and the organization’s G Suite data and content based on the needs of the user. For example, users can be assigned to a particular group, known as organizational units within the G Suite directory. Further, users can be assigned to a particular role within a group, such as owner, manager, or member — each with varying degrees of control. A group can share a set of access level and permissions to help simplify the process of user management.
Part of the challenges for companies using cloud solutions such as G Suite is achieving a satisfactory level of customization and control over G Suite user accounts without over complicating overall identity and access management (IAM) procedures. Account provisioning and maintaining user access profiles are key components of a company’s IT security practices, which are necessary for securing data, limiting vulnerabilities, and preventing unauthorized access and data breaches.
Depending on the size of the organization and the complexity of the business, user provisioning could be a relatively simple, or highly complex, process. Summarized below are some of the various ways to provision G Suite user accounts:
Provisioning through Google Admin Console
According to Google, the easiest way to provision user accounts in G Suite is to manually create a new user in the Admin console. Alternatively, it is possible to invite users by email to setup their own accounts. While either of these may work for the most basic setups or the one-off occasion, it does not scale for larger organizations.
For bulk adds, the Admin console allows multiples users to be uploaded from a CSV file. Google provides a template worksheet where you can add user details and follow instructions to import the list into your existing directory. Similarly, however, this is largely a manual process and has many caveats, including forced overrides of any existing account information, limited control over password management, and no ability to assign users to organizational units, which must be manually completed after the upload.
Provisioning through APIs
Organizations looking to streamline G Suite provisioning can also leverage API hooks to write custom scripts through the Google’s Admin SDK (software developer kit) Directory API. Custom API scripts allow for significant control over the G Suite directory, including creating and managing user profiles with customized fields, assigning permission levels and ownership roles, group and organizational unit management, Chrome and mobile device management, among other capabilities. The Directory API also allows organizations to connect the G Suite directory with other LDAP directories, such as Microsoft Active Directory, and to authenticate a user’s Google account against other applications and resources.
While this option greatly extends the ability to streamline G Suite user account provisioning, it requires a significant amount of development and management, and usually connects with some type of existing, on-premises IAM infrastructure already in place.
Provisioning through Third-party Software
Google offers a self-hosted and managed ‘middleware’ application called G Suite Directory Sync, (GADS). This software is installed on a Windows or Linux server, and is integrated with Active Directory to enable user profiles to be pushed and subsequently updated from AD to G Suite.
GADS is a true production server. That means it, requires the organization to administer and manage all uptime and availability chores, ensure a stable and reliable connection between G Suite and Active Directory, and secure the system. It’s worth noting that GADS has a relatively weak password syncing capability. Only passwords stored in SHA-1 or MD-5 encryption are readable – and SHA-1 was reported cracked in 2007. GADS doesn’t allow for passwords with salted hashes.
There are a number of other third-party solutions that leverage Google’s Directory API to provide user provisioning capabilities, such as single sign-on (SSO) solutions and other business intelligence and SaaS tools. They allow organizations to avoid much of the development and programming requirements otherwise needed to customize provisioning of G Suite user accounts. These tools leverage Google’s open APIs to present all of the G Suite directory capabilities in a more scalable and user-friendly format, but they similarly have limitations when plugging into a larger IAM solution, as they depend on existing IAM infrastructure much like GADS does. Also of note, user provisioning with these services are usually one-way only, meaning profiles can be pushed into the G Suite directory, but not vice-versa.
Provisioning through a Directory-as-a-Service®
A new approach to G Suite user account provisioning can be accomplished through a Directory-as-a-Service (DaaS) solution, such as JumpCloud. JumpCloud similarly leverages open APIs to provision user accounts, but it can also provide a scalable way to streamline identity and access management, unifying user account provisioning for G Suite with provisioning accounts to access other IT resources such as Mac, Windows, and Linux machines, other applications, RADIUS networks, and other parts of a corporate network without the need for additional middleware applications or on-premises solutions. JumpCloud in particular allows for multi-directional provisioning, so users that already exist in G Suite can be provisioned via JumpCloud to other IT resources as well.
The true advantage of a DaaS solution such as Jumpcloud is that it provides a significant amount of control and customization over the G Suite provisioning process through a platform that sits at the core of an overall identity and access management system, hosted securely in the cloud.