---
title: Google Group (GSuite) Access Requirements
excerpt: ''
deprecated: false
hidden: false
metadata:
  title: ''
  description: ''
  robots: index
next:
  description: ''
---
# General Setup

You will need to provide the following to Moveworks.

* A Service Account JSON file associated with a Google Cloud Platform Project that has been assigned the group admin role and has access to your tenant
* Customer ID from your Google Admin Console

Please provide the Service Account JSON file to your Moveworks Customer Success team via encrypted email.

# Create GCP Project & Assign APIs

Before you begin the configuration, please ensure you have the administrative privileges for the Google Cloud Platform in your organization.

1. Create a GCP Project
   1. Start by navigating to [https://console.developers.google.com/apis/dashboard](https://console.developers.google.com/apis/dashboard) in your browser.  
      ![](https://files.readme.io/29f1311-small-Untitled_-_2023-05-12T133359.834.png)  
      ![](https://files.readme.io/4c2ba2a-small-Screen_Shot_2022-02-09_at_2.12.46_AM.png)
   2. Under your organization space, create a new project and name it “Moveworks”.  
      ![](https://files.readme.io/786030d-small-Screen_Shot_2022-02-09_at_2.11.12_AM_1.png)
2. Identify the APIs you need to enable
   * **Admin SDK API**
   * **Groups Settings API**
   * **Admin SDK Reports API**
3. Enable APIS for your GCP Project
   1. Navigate to the API Library & Enter the name of the APIs you want to activate  
      ![](https://files.readme.io/73fdcd4-small-Screen_Shot_2022-02-09_at_2.27.54_AM.png)
   2. Click **Enable**  
      ![](https://files.readme.io/e23f1a3-small-Screen_Shot_2022-02-09_at_2.29.27_AM.png)
4. Create a Service Account
   1. Navigate to APIs & Services > Credentials  
      ![](https://files.readme.io/5f81723-small-Untitled_-_2023-05-12T133816.477.png)
   2. Select **Create Credentials > Service Account**  
      ![](https://files.readme.io/b17f712-small-Untitled_-_2023-05-12T133833.866.png)
   3. Create the Service account by adding the name, ID and description and select **Create and Continue** - _Note_: Granting access to a project or Granting users access to this service account is optional  
      ![](https://files.readme.io/1c495a3-small-Untitled_-_2023-05-12T133855.269.png)
   4. Click on **Actions > Manage keys**  
      ![](https://files.readme.io/dbf2552-small-Untitled_-_2023-05-12T133937.656.png)
   5. Select **Add Key > Create new key**  
      ![](https://files.readme.io/014f492-small-Untitled_-_2023-05-12T133955.730.png)
   6. Select **JSON** as the **Key type** and click **Create**. You should see a notification that the service account JSON file has been downloaded and saved to your computer.  
      ![](https://files.readme.io/e20c5de-small-Untitled_-_2023-05-12T134024.151.png)  
      ![](https://files.readme.io/f95b310-small-Untitled_-_2023-05-12T134029.186.png)
   7. Share this JSON file via secure encrypted email with your Customer Success Team

## Fetching Customer ID:

1. Sign into your Google Admin console
2. In your admin console, go to [**Menu > Account** > **Account Settings** > **Profile**](https://admin.google.com/ac/accountsettings/profile)
3. Share the Customer ID with your Customer Success Team

## Grant OAuth Scopes

This step grants the Service Account explicit permission (OAuth Scopes) to access and manage data across your domain using the enabled APIs.

Get Client ID:

1. Navigate back to the Service Account details in the GCP Console (APIs & Services > Credentials).
2. Find and copy the Unique ID of the Service Account (often labeled as "Client ID" in DWD steps).
3. Navigate to DWD Settings:
4. Sign into your Google Admin console using a Super Admin account.
5. Go to Menu > Security > Access and data control > API controls.
6. Under the Domain-wide Delegation pane, click Manage Domain Wide Delegation.
7. Add/Edit Client Access:
8. Click Add new.
9. In the Client ID field, paste the Unique ID you copied from the Service Account.
10. In the OAuth scopes (comma-delimited) field, enter the full, comma-separated list of required scopes enumerated in detail below.

### Required Google Workspace API Scopes for Group and User Management

The following OAuth 2.0 scopes must be authorized via **Domain-Wide Delegation (DWD)** to ensure your Service Account can perform group creation, modification, membership changes, and read necessary directory and audit data. These scopes are mandatory for administrative actions.

([https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/admin.reports.audit.readonly](https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/admin.reports.audit.readonly))

### Scope List Summary (Reference)

| Scope                           | Purpose                                                                                                                     |
| :------------------------------ | :-------------------------------------------------------------------------------------------------------------------------- |
| `admin.directory.group`         | Create, update, and delete Google Groups (Group metadata).                                                                  |
| `admin.directory.group.member`  | Add, remove, and update user membership in Groups.                                                                          |
| `apps.groups.settings`          | Update group configurations (e.g., who can post, moderation settings) to avoid the `ACCESS_TOKEN_SCOPE_INSUFFICIENT` error. |
| `admin.directory.user.readonly` | Read user details for identity lookups.                                                                                     |
| `admin.reports.audit.readonly`  | Read audit logs and activity reports for compliance and troubleshooting.                                                    |

11. Click Authorize.

## Assigning Google Admin role to the service account:

1. Sign into your Google Admin console
2. In your admin console, go to [**Menu** > **Account** > **Admin roles**](https://admin.google.com/ac/accountsettings/profile)
3. Find the **Group Admin** role, select the role and click **Assign admin**
4. Select **Assign service accounts**
5. Enter the email address of the service account
6. Click **Add** > **Assign role**
7. Once complete, app should be visible in app list
   <Callout intent="info">
     You will see the Group admin role applied to the service account in your Admin audit log. Additionally, all actions taken by the Service Account will be shown in your Admin audit log.
   </Callout>