Articles in this section

See more

Sapling - G Suite Integration Guide

Avatar
Alice McAnaw
  • Updated
Follow

Introduction

The Kallidus Sapling platform helps HR and People Operations teams automate and streamline administrative tasks so they can focus on employee experience,  retention, and creating an amazing culture for the most successful teams.

G Suite is a suite of intelligent apps, including Gmail, Docs, Drive, and Calendar, designed to help your team communicate, store information, and create.

With our G Suite integration, you can:

  • Assign a company email address to a new hire when onboarding

  • Automatically set up an employee's G Suite account with the information from the new hire’s employee record 

  • Assign an employee's G-Suite Organizational Unit (OU) and Group

  • Suspend an employee's G Suite account during the termination process

  • Accounts can be reactivated by IT admins, however, the email cannot be accessed whilst suspended

All of the activities taken by Kallidus Sapling are tracked and recorded in the Admin console audit log.

Important to note: Currently we do not support data sync for existing employee attributes. We can only sync data for new employees who have been onboarded via Kallidus Sapling.

To work around this:

  • Setup a custom report on field changes that you care about being updated in G Suite, and have IT check in on that report to confirm changes in Kallidus Sapling took effect in G Suite

This article covers the following topics:

Before integrating with G Suite, make sure you have:

  • Admin or Account Owner permission status in Sapling 

  • Obtained administrator access on your G Suite domain to set up the integration. 

  • If your administrator access is revoked in the future, your integration will stop functioning.

This Integration Guide is split into two sections:

Part A: The User Experience

  1. How does Sapling set up the account during Onboarding?

  2. How does Sapling suspend the account during Offboarding?

Part B: Setting up the G Suite integration

    1. Ensure API Access is enabled in your Google Admin

    2. Enable the G-Suite integration in Sapling

Part A: The User Experience

1. How does Sapling set up the account during Onboarding?

When onboarding an employee in KallidusSapling, confirm the company email address - this will be based on the G-Suite account you have integrated and will become a required field.

When entering the new hire’s company email in step 1 of the onboarding flow “Create Profile”, Sapling will verify that the email address is available for use.

Leaving the company email blank means Kallidus Sapling does not set up the company email or G-suite account.

mceclip0.png

*Note: If email provisioning is enabled, it will default to be enabled and for credentials to be sent on the start date. This can be updated during the first step of the onboarding flow.
However, it can't be updated after the onboarding of a team member has been initiated. 

Additionally, Sapling allows users to create G-Suite Organizational Units (OUs) and Groups to control what services and features are available to whom in the company (e.g. one OU might have access to YouTube while another does not).

To select the new hire's OUs and Group, scroll down to Google Organizational Unit and Groups and make a selection from the drop-down list.

*Note: If your Google Admin makes updates to your internal OUs/Groups, Sapling will refresh what options are displayed during onboarding every 24 hours.

Information sent from Sapling to G-Suite

At the end of the new hire onboarding flow (step #5 - “Send Invite”), Sapling will provision the G-Suite Account when the New Hire onboarding event is confirmed.

Sapling sends the following information to the G-Suite profile:

  1. First Name
  2. Last Name
  3. Company Email (primary email)
  4. Personal Email (secondary email)
  5. Department
  6. Location
  7. Manager

Email notification to new hire

The New Hire will then receive a notification to their secondary email (personal email) at the time specified by the Onboarding Admin informing them of access to their G-Suite account (this is based on the time setting in your Company’s General Settings).

Three important things to note:

  • If this time has already passed (i.e. they started today), this email will be sent immediately.
  • You can send the 'Getting started instructions' ahead of time, which can be collected from the G-Suite account once provisioned
  • Once the G-Suite account has been scheduled after completing onboarding, admins will not be able to edit the time specified nor can they delete the G-Suite account before it’s provisioned by Sapling

The person who Onboarded the new hire (typically the Program Lead) will be Bcc’d on this email to ensure visibility on the workflow.

When the new hire logs into their Company G-Suite Account, they will be prompted to create a new password. 

The new hire will then have access to their company email inbox.

How to set password requirements?

  1. In your Google Admin console (at admin.google.com)...
  2. Go to Security > Password management.
  3. On the left, select the organizational unit where you want to set the password policies. For all users, select the top-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an organization inherits the settings of its parent organization. 
  4. In the Strength section, check the Enforce strong password box. Strong passwords use a mix of letters, numbers, and symbols, and should not be common or previously used. 
  5. In the Length section, enter a minimum and maximum length for your users' passwords. It can be between 8 and 100 characters.
  6. (Optional) To force users to change their password, check the Enforce password policy at the next sign-in box.If you don’t check this option, users with weak passwords can access your organization’s Google services until they decide to change their password.
  7. (Optional) To allow users to reuse an old password, check the Allow password reuse box. You cannot set the password history that Google reviews to prevent reuse.
  8. In the Expiration section, select the period of time after which passwords expire.
  9. Click Override to keep the setting the same, even if the parent setting changes.
  10. If the organizational unit's status is already Overridden, choose an option:
  • Inherit—Reverts to the same setting as its parent.
  • Save—Saves your new setting (even if the parent setting changes).

Make sure to also give your users tips for creating a strong password.

2: How does Sapling suspend the account during Offboarding?

Sapling suspends a user's G Suite account based on the Access Cutoff specified during the offboarding workflow. 

**Note: As long as you have deprovisioning rules set up in G-Suite to take effect to de-provision access based on the offboarding request, it can de-provision/suspend access to all software that's been provisioned via the G-Suite account. 

 

Part B: Setting up the G Suite integration

There are two steps in the set-up process and takes approximately 5 minutes:

1: Ensure API Access is enabled in your Google Admin

The first step is to ensure that API access is enabled within G Suite directly.

You will need to have administrator permissions on the Google Account you want to link in order to set up the integration. Additionally, you will need to ensure you have enough Google licenses, otherwise, user creation will fail.

Step #1:

As a Google Administrator, log in to Google’s Admin console (https://admin.google.com) and ensure API access is enabled in your G-Suite Account.

Step #2:

To verify that it is enabled, log in to your admin account and select Security> App access control > Manage third-party app access.

If Security is not listed, select More controls > Security from the options shown in the gray box. 

Step #3:

On the security page, select API Controls or App Access Control, and then select the checkbox to Manage third-party app access

Step #4:

Then select Configure New App> Oauth App Name or Client Id

Step #5:

Then search Sapling HR and select Sapling HR, which has a client ID

Step #6:

Then select Trusted. Can access all Google Services >Configure

 

2: Enable the G-Suite integration in Sapling

When logged in as a Sapling Account Owner, navigate to Admin > Integrations and you’ll see the integration widget.

Click Add and you will be presented with a pop-up requiring the Organization URL of your company’s G-Suite domain (without the www.). By clicking Save, you’ll then be prompted to authorize your account.

Click Authorize. Google will then ask you to confirm that Sapling can provision and delete users on your domain.

Once G Suite and Sapling are synced, the G Suite app will be shown as Authorized in your account.

You can disable the G Suite <> Sapling sync at any time by clicking it and selecting “Unauthorize”.

Enforcing Multi-Factor Authentication

2-Step Verification adds an extra layer of security to your users' G Suite accounts by requiring them to enter a verification code in addition to their username and password when signing in to their account.

It can be enabled for your domain in your Security Settings.

To ensure 2FA on new accounts generated by Sapling, you’ll need to ensure 2FA is turned on in your advanced security settings.

 

Managing Licences

If you need more licenses for a Google service, how you add them depends on how you signed up for your service and your plan type (G Suite only).

This article contains information on how to get more licenses.

Security & Auditing

All of the activities taken by Sapling are tracked and recorded in the Admin console audit log.

To view a log of events in your Google Admin Account, navigate to reports.

Here you can select ‘Admin’ to see a list of activities occurring in your company’s Google Admin account, as well as the associated user and IP Address.

 

Frequently Asked Questions

Start Date Changes

  • What happens if the new hires' start date changes?
    As Sapling provisions the account and schedules the email notification at the time of onboarding, any subsequent changes are not updated between Sapling and G-Suite - hence changes in start dates must be managed manually in G-Suite.

    If the new start date is sooner than the previous start date, G-suite Admin would need to manually reset the password for the new hire and share it with them. The new hire can then ignore the automated password email notification being sent by Sapling based on the schedule selected originally during the onboarding process. 

    If the new start date is later than the previous start date, to delay new hires' access to the G-suite account, you can consider temporarily disabling/suspending the account and restoring it when the new hire starts working with you. 

Access levels

  • Our Gmail accounts are provisioned with different access levels. Once they are created, can the accounts be updated like they would if we provisioned them on our own?
    This is typically managed by the IT Admins directly in G-Suite. We only send location, department, manager, etc.

Terminations

  • When terminating an employee, if we wanted account access to be shut off at different times, is that possible? I.e. sometimes 5 pm on the day of termination is too late or too early.
    Yes, it is possible to suspend a G Suite account at a time more convenient to you. To do so, simply specify the desired Access Cutoff time during the offboarding workflow.

Personal and Company Emails

  • Sapling can send both the personal and company email to our Google Admin Account which then appears in the Global Address book. How to disable sending personal email?

  • Can we send it, but hide the personal email from being viewed?
    Yes - please see the 'Turn on the Directory and set sharing options' in this link
    https://support.google.com/a/answer/60218#enable

    There are a few options to manage this, but we believe the best is: 'Only show email addresses on the user's primary domain'  

Related articles

Comments

0 comments

Please sign in to leave a comment.