In today’s How to Automate, we will learn how you can quickly and almost automatically manage Google Workspace users from Slack monthly, thanks to Mindflow. No need to hop on Google Admin!
Employees come and go. Groups are created for specific purposes, sometimes temporary purposes. Users can be wrongly suspended. Suspended Users may have to be deleted at some point. Admins need to be reviewed regularly on top of having notifications set up for new admins. Besides being compliant with security frameworks, periodically checking the users on the tools you use is part of mandatory sanity measures for an organization. It helps track what is happening and ensures no obvious and dangerous loopholes are in your directory.
However, as the tools multiply, you must perform this review on most, if not all, depending on your risk strategy. In such a case, you would put the review emphasis first on critical tools before tools that are considered less critical. Google Workspace would be on top of the list if you are using it. You will surely use Google as your identity provider.
In the following Flows, we will learn how IT folks can manage Google Workspace users with only a few Slack commands. To do so, we will only orchestrate Google Workspace through Google Admin Directory SDK API and Slack. Most of the work will be done using Mindflow’s core functionalities.
Before we dive in, have a quick look at the main Flow.
First Flow: Manage Google Workspace users with scheduled reports
Let’s get started! Create your Flow on Mindflow and name it as you want. We will call it “Google Workspace Groups/last login/Admins/Suspended users monthly scheduled review”. Add an emoji of your taste as well! I chose an otter.
Prerequisites: Slack credentials. OAuth 2 authentication set up in Mindflow’s Vault with the following scope for Google Admin Directory SDK API:
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.group
In the coming weeks, I will do a tutorial to walk you through the mess of setting up Google’s APIs and scopes! Pinky swear!
The following tutorial will be divided into 7 sections, each covering a milestone, so get ready.
Set up the schedule to generate reports to manage Google Workspace users.
We want to trigger this Flow every month on the 28th automatically. To do so, click the little calendar icon next to the Flow’s title. Select “At regular interval” under the first field in the pop-over. Then select “Monthly”. Finally, pick the number 28 and then fill in the hours and minutes.
Your schedule is ready.
Get all Groups from Google Workspace
Create one Transform Data as your first step and name it Setting variable message_1. Click on the little gear icon at the bottom left of the step. In the pop-over window, click on “Add an item”. Name this item message_1. Leave it empty. We will use it later in the Flow.
Following message_1, click the little square icon next to the settings to create a new step. In the pop-over, query Google directory.group.list and choose the action “Retrieves all groups of a domain or of…” API action that will be listed in Google Admin Directory SDK API. Select the credential in the Settings panel.
In the input panel, fill the “Domain” field with the domain you want to scan the groups. This can be hard-typed (as in the example) or dynamic, set up at each execution through a Bot command. You can create a Slackbot command /groupscan “your_domain” on Slack and have Mindflow update the “Domain” field at each execution.
Once configured, run the call once. When it has been run, you will be able to see the answer from Google that will comprise all groups information in a table “groups”:
- kind
- id
- etag
- name
- directMembersCount
- description
- adminCreated
Retrieving information for each group
After your Google API call, create a For-each loop and name it For each Group. When created, click on the gear icon.
In the settings panel, in “Source”, type “/” and, in Steps, select the Google Admin API call you runned. Select the execution log and then Pick the “groups” table.
Inside the loop, create a Transform Data. Name it message_1 output. Click on the gear icon and then “Add an item”. Name this item message_1as the first variable you created at the beginning of the Flow. Once the item is created, type “/” and invoke the variable message_1. Press enter and type some little “–” to format the message. Now, type the following text:
- Group name:
- Group email address:
- Created by an admin:
- Number of members:
To populate each field, simply type “/”, click on For each under FLOW, and Pick the desired field. Setting this variable will enable Mindflow to update the output at each iteration.
Your For each Group is set!
Now, create a step and select the chat.postMessage Slack API call. Configure the credentials. In the input tab. Under “Channel” fill out the channel id you want to send the report. Under “Text” type:
“Here is your Google Workspace active Group(s) report. If you wish to take action on a specific Group, please type /deletegroup “Group’s name”. We will talk more about these commands later on.
Then type “/” and invoke your variable message_1.
Get all Users
We want to retrieve all users under the domain you wish the report to be created on. To do so, create a new step under the last step. In the pop-over, type “directory.users.list” and select the action from the Google Admin Directory SDK API.
Once created, configure the domain you want to retrieve users from again.
Retrieving Users that have not logged-in in the past 7 days
After the newly created Google call, create a For-each loop and name it For each User. In Source, type “/” then select the “Retrieves a paginated list…” step, then Pick the User table.
Inside the For-each, create a condition named Extracting active users. Add a Transform data to create a branch in the condition. Click on Settings under this condition and on the arrow to configure it. To populate the input field, type “/” to Pick “suspended” in the, then select “Is false”. This will extract only the list of active users.
In the Transform Data step you just created, we will emulate the last login date to compare it to the current date. To do so, first, rename it Substract last_login and current_day and, inside, create 3 items named as such:
- last_login
- current_day
- subtract
Apply the following functions:
- last_login: “/”, and select
lastlogintime. Apply a slice function: start 8, end 10 - current_day: “/”, go to “Retrieves a paginated…” and select
Datein the Header of the API call answer. Apply a Slice, start 5, end 7 - subtract: get
current_day“SPACE”last_login. Apply a subtract with the delimiter “space”.
Your Transform Data should look like this. We are transforming two different dates to be able to compare them and determine the number of days since the user’s last login.
After this Transform Data, create a condition and a Transform Data following it. Name the condition Last login > 7 days? and go into the condition’s settings to create a Compare. In the input field call subtract, then select “is greater than”, then type 7.
Rename the Transform Data message_2 output. Create an item called message_2. Inside, invoke message_2.
Return to the line, type “–“, then:
- Full name:
- Email address:
- Last login:
In front of each type, “/” and pick the corresponding data. It will look like the image below.
Outside For each User, create a Slack chat.postMessage API call. Select your channel. In the Text field, type:
“Here is the list of users that have not logged in in the last 7 days. If you wish to suspend one of the reported User, please type /Suspend “User email address.” Then call message_2.
Retrieve current Admins
After the last step, create a Transform Data, and rename it Setting variable message_3. Add an item, name it message_3. Create a For-each loop, name it For each Admin: Source: select Retrieves a “paginated list…” and the table users.
Create a condition named Checking for current Admins followed by a Transform Data. Configure the condition’s branch as such: Create a compare function. “/” to Pick “isAdmin”. Select “Is true”. Rename the transform Data message_3 output. Create an item named message_3. Inside, get message_3, separate with “–” then type:
- Full name:
- Email address:
Then “/” and select the corresponding field inside the For each Admin under FLOW.
Outside the For each Admin, create a chat.postMessage Slack API call. Select your channel. In Text, type: “Here is your current Admins report:” and call message_3.
Retrieve suspended Users
After the last Slack call, create a Transform Data named Setting variable message_4. Inside, add an item and name it message_4. Create a For-each named For each suspended User. In Source, call “Retrieves a paginated list…” and the table users. Inside the loop, create a condition named Checking for suspended users followed by a Transform Data.
In the condition’s branch, create a compare function. Input “/” Pick “suspended” and set it to “Is true”. Rename the Transform Data message_4 output. Add an item and name it message_4. Inside, call message_4, separate with “—” and type:
- Full name:
- Email address:
- Reason:
Type “/” and Pick the corresponding fields. Outside the For each suspended User, create a chat.postMessage. Select your channel. Under “Text” type:
“Here is your currently suspended Users report. If you wish to unsuspend a suspended User, please type /Unsuspend “User email address”. If you wish to definitely delete a suspended User, type /DeleteUser “User’s email address”. Then call message_4.
The first Flow is done. Run it once to see all the green pills pop!
Second Flow: Manage Google Workspace users with Slackbot commands
To act on all the reports Mindflow has generated, we are going to create 4 commands to set up a Slackbot that will help us query Google Admin Directory SDK API endpoints.
First, a quick look at the final Flow.
To create this, start by creating a new Flow, this time called “Slackbot: Actions to manage Google Workspace users.” Again, choose your emoji! This time, I chose the sloth. Once created, click on it to open it and then click on the gear icon right next to the Flow’s title. Once opened, you will be able to see all the different Hooks with which you can trigger this Flow. Copy the first HTTP webhook URL.
Once done, go to https://api.slack.com/apps/” YOURWORKSPACEID”/slash-commands? and create a new command. Let’s say we create the /suspend command. Fill in as described in the image below.
Repeat the same process for the 3 other commands — /unsuspend, /deleteuser, and /deletegroup. Make sure not to write capitalized letters, Slack returns lowercase only. Also, always paste the same HTTP webhook URL.
On to the Flow. First, create a condition. Then, create 2 steps calling the directory.users.update API call from Google Admin Directory SDK API, 1 step calling the directory.users.delete, and 1 step calling the directory.groups.delete action from Google Admin Directory SDK API.
Go into the condition’s settings and, for each branch name:
- Unsuspend that leads to Updates a user
- Suspend that leads to Updates a user
- Deleter User that leads to Deletes a user
- Delete Group that leads to Deletes a group
To configure the triaging, you are going to create a compare function for each branch by clicking on the arrow on the right, as shown below. Once the compare function is created, as input type “/”, select inside TRIGGERS “Slackbot 1.0” and then command. Now, select “Is equal to” and then type the slack command that is corresponding to the branch you are in.
About all the following steps, nothing much to configure left. Make sure you turn the boolean “Suspended” on for the step to which the branch Suspend is leading. Do the opposite for the Unsuspend branch.
Finally, create a Slack step following each Google step to send a notification to the desired channel stating that you have correctly performed the desired action.
Of course, if you want traceability about all of this, you can add Jira to the overall Flow. You will have to query the /issue action to create an issue and, if you need to update the issue, query the issue/{issueIdOrKey} and configure it by typing “/” to get the first Jira API call answer to Pick the Issue ID.
Et voilà! Whole automated Flow to manage Google Workspace users from Mindflow!
