Through the Vanta and Google Workspace integration, you can create a connection to import your employees seamlessly into Vanta using the SCIM protocol.
This integration requires a user with the Google Workspace Super Administrator permission in order to configure it.
Before you begin you must identify if you are going to be using only Vanta's default roles or if you will be using custom roles. This is important because Vanta’s default roles can be assigned to entire groups during the integration setup, as long as users are already organized into groups that match their Vanta roles (for example, Admins in an Admin group, Editors in an Editor group, and so on).If this matches your setup and you are only using default roles, you can skip ahead to Step 3 to begin the connection process.
This group-based method does not support custom roles. If you use any custom roles, you’ll need to start at Step 1 below to create a custom attribute in Google so those roles can be assigned to individual users.
If your environment includes a mix of users with default roles and custom roles, we recommend placing users with default roles into role-based groups. This will make role assignment simpler and easier to manage later on and for your groups based on the default roles, you can specify which role a particular group is assigned during the setup process.
If you prefer to manage all role assignments directly in Google Workspace—even when using Vanta's default roles—you can also begin from Step 1 below.
Step 1: Create Custom Attribute
Using a Super Admin account, log into your company's Google Workspace Admin Console
From the left-hand navigation panel, select Directory then Users:
Select More Options and choose Manage custom attributes:
We will be creating a custom attribute in order to allow the User Roles to sync from Google Workspace to Vanta. See this Google Support article for more detail.
Click Add Custom Attribute and tittle the attribute with a descriptive name
We recommend using a name that signifies its relation to assigning roles in Vanta:
Ensure the info type is 'Text', and the visibility is set to Organization, and the Number of Values is set to 'Single':
Select ADD:
Step 2: Assign Role to Users
Google Workspace does not allow custom attribute values to be assigned through groups, so roles must be set per user, either directly in the Google Workspace Admin Console or by using a CSV file for bulk updates.
By default, all users are assigned the Employee (unprivileged) role unless a more privileged role is specified via group membership during setup or a custom attribute. This means you only need to assign roles to users who require more privileged access, such as Collaborator, Editor, Administrator, or a custom role.
Again, all of your users who use a Vanta Default role should be in groups based on their role, so you can assign the role directly to the group during the setup process. Your users with custom roles should also be in their own group with the added step of having to set the custom attribute for them so Vanta can grant them the appropriate role.
For this step you need to identify these users who will have a custom role assigned, move them to a group based on said role, and update their custom attributes to reflect that role.
Like mentioned before setting this attribute is only necessary for users with custom roles. However, if you prefer to manage all role assignments through Google Workspace, then every user with a privileged role needs to have their custom attribute set.
When specifying group names or assigning roles, refer to the roles already set up in Vanta. You can find them by clicking the gear icon in the top-right corner, selecting Login & Security, and then opening the Roles tab under User Provisioning.
To assign a role via a custom attribute, you will need to use the role’s Role ID (shown in the second column) as the attribute value. Each user should have the Role ID of the role they need.
For example if we want to assign the user "Admin Admin" the administrator role via the custom attribute:
You would need to select them from the directory, and click user details once their profile page loads:
From there scroll down to the custom attribute you created and add the Admin role ID value from Vanta to their custom attribute and click save
Another option is to export a CSV from Google, populate the role values for the desired users, and then re-upload the file to perform a bulk update.
Google provides documentation on this process with additional details.
If you encounter any issues while using this method, you may need to manually assign the role IDs as a workaround, or reach out to Google Support for assistance, as this functionality is managed by Google.
Step 3: Configuring SCIM
This step assumes that your users have been organized into role-based groups and if you are using custom roles, the users with said roles have been assigned their roles via the custom attributes configured in Step 1.
Head to Vanta and head to the settings page by clicking the gear icon on the top right, selecting Login & Security from the second left hand menu and going to the User provisioning table to turn on SCIM
Select Google Workspace
Enter your domain name and click Allow Access or choose the second option if you want to choose from all Google Workspace accounts:
Grant Access to your Workspace
If you setup a custom attribute, you will then need to search for it under customSchemas and select it in order to let Vanta know what attribute to check to determine a user's role. Once selected chose save custom attribute.
If you did not setup a custom attribute, leave it blank and click save custom attribute.
Next select the groups you want to sync from google workspace, you can select individual groups or an option to sync all groups:
If you did not configure a custom attribute you will need to specify which role to assign to each of your selected groups. This is why it is important to have predefined groups for your desired roles. For example in the screenshot below the Vanta Employees (SCIM) group has every user who should be assigned the employee role, and we will assign that role to said group:
If some users will get default Vanta roles while others are assigned custom roles, and you haven’t set the default roles through attributes, you can assign the default roles at this step. Keep in mind that custom roles won’t appear in the dropdown menu—this is why you set up a custom attribute. For groups containing users with a custom role, you can leave the role option set to “Not Assigned.”
Once complete, click continue
Click next and select Start sync:
Once complete you can click view directory to see the user count and group count:
If your administrators do NOT have access to Vanta it is likely due to the fact they are in a group that does not have the Administrator role assigned to it, or their custom attribute does not have that value set.