GCP Connector Features

The GCP Connector by EmpowerID enables seamless synchronization of identity data between EmpowerID and Google Cloud Platform (GCP). It provides extensive inventory, provisioning, and synchronization capabilities to ensure efficient identity and access management.

Key Features

• Full and Incremental Inventory Support for:
  • User Accounts, Service Accounts, and Guest Accounts
  • Groups
  • Group memberships for all account types
  • Group-to-Group memberships
• User and Group Management
  • Create, update, disable, and delete user accounts
  • Enable, disable, and delete service accounts
  • Create, update, and delete groups
• Access and Membership Management
  • Provisioning accounts through EmpowerID Resource Entitlements
  • Resetting passwords for user accounts
  • Handling group membership additions and removals
  • Assigning group memberships to accounts via management role (RBAC) assignments

Supported Operations by GCP Microservice

The SCIM microservice for GCP exposes several endpoints designed for identity management and synchronization between GCP and the connector.

Query Operations

Name	Method	URL	Description
Query Projects	GET	/QueryProjects	Queries projects
Query Users	GET	/QueryUsers	Queries users
Query Predefined IAM Roles	GET	/QueryPredefinedIamRoles?count=100&skipToken={{skiptoken}}	Queries predefined IAM roles
Query Project Custom IAM Roles	GET	/QueryProjectCustomIamRoles/{{projectId}}	Queries custom IAM roles for a specific project
Query Organization Custom IAM Roles	GET	/QueryOrganizationCustomIamRoles	Queries custom IAM roles for an organization
Query Resources	GET	/QueryOrganizationResources	Queries resources associated with an organization
Query IAM Policies	GET	/QueryIAMPolicies	Queries IAM policies
Query Organizations	GET	/QueryOrganizations	Queries all organizations
Query Directory Roles	GET	/QueryRoles	Queries directory roles
Query Privileges	GET	/QueryPrivileges	Queries privileges
Query Organizational Units	GET	/v1/OrganizationalUnits	Queries organizational units
Query Role Assignments	GET	/QueryRoleAssignments	Queries role assignments
Query Role Assignments Delta	GET	/EIDExtension/ChangedRoleAssignmentsQuery	Queries role assignments that have changed since the specified start time
Query Service Accounts	GET	/QueryOrganizationResources/{{organizationId}}	Retrieves service accounts associated with an organization

Service Account Operations

Name	Method	URL	Description
Get Service Account by ID	GET	/QueryOrganizationResources/{{organizationId}}?filter=iam.googleapis.com/ServiceAccount&query={serviceaccountid}	Retrieves a specific service account by ID
Create Service Account	POST	/v1/serviceaccounts/eidextension?accountId={{accountId}}	Creates a new service account
Update Service Account	PATCH	/v1/serviceaccounts/eidextension/{{accountId}}	Updates an existing service account
Delete Service Account	DELETE	/v1/serviceaccounts/eidextension/{{accountId}}	Deletes a service account
Disable Service Account	GET	/v1/serviceaccounts/eidextension/disable/{{accountId}}	Disables a service account
Enable Service Account	GET	/v1/serviceaccounts/eidextension/enable/{{accountId}}	Enables a service account

Group Operations

Name	Method	URL	Description
Query Groups	GET	/v1/groups	Queries all groups
Create Group	POST	/v1/groups	Creates a new group
Get Group by ID	GET	/v1/groups/{{groupId}}	Retrieves a specific group by ID
Update Group	POST	/v1/groups/{{groupId}}	Updates an existing group
Delete Group	DELETE	/v1/groups/{{groupId}}	Deletes a group
Query Groups Delta	GET	/v1/groups/EIDExtension/NewOrUpdated?startTime={{timestamp}}	Queries groups created or updated since the specified start time
Query Group Members	GET	/EIDExtension/MemberQuery/{{groupId}}	Queries members of a specific group
Delete Group Member	DELETE	/EIDExtension/MemberQuery/{{groupId}}/{{memberId}}	Deletes a specific member from a group
Create Group Member	POST	/EIDExtension/MemberQuery	Creates a new member in a group
Update Group Member	POST	/EIDExtension/MemberQuery/{{groupId}}/{{memberId}}	Updates a specific member's details in a group
Query Group Members Delta	GET	/EIDExtension/ChangedMemberQuery	Queries members of a group that have been created or updated since the specified start time

Inventory Management

The GCP Connector provides two standard inventory processes:

• Incremental Inventory: Monitors the LastTimeStamp of the previous inventory run and imports only user and group identity data changes since then.
• Full Inventory: Conducts a complete inventory of all GCP users and groups each time the inventory job runs.

Attribute Mappings

The GCP Connector synchronizes GCP and EmpowerID by mapping relevant attributes. Below are the detailed mappings:

User Attributes

SCIM Attribute	EmpowerID Attribute	Description
name['givenName']	FirstName	Maps to the user's first name
name['familyName']	LastName	Maps to the user's last name
displayName	DisplayName	Full name of the user
active	Active	Indicates if the account is active
country	Country	Maps to the user's country
preferredLanguage	PreferredLanguage	User's preferred language
primaryEmail	eMail	User's primary email address
recoveryPhone	PhoneNumber	User's recovery phone number
lastLoginTime	LastLogin	Timestamp of last login
orgUnitPath	OrgUnit	User's organizational unit

Group Attributes

GCP Attribute	EmpowerID Group Attribute	Description
['description']	Description	Extended group description
['adminCreated']	CustomAttribute16	Indicates if the group was admin-created
['email']	CustomAttribute15	Group email address
['displayName']	Display Name	Group display name

Service Account Attributes

GCP Attribute	EmpowerID Attribute	Description
displayName	DisplayName	Name of the service account
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:Resource']['versionedResources'/][?(@.version=='v1')].resource.email	CustomAttribute18	Service account email
description	Description	Service account description