Cleary uses a google service account which delegates domain-wide authority to
- Access your company calendar
- Access your users to keep all the emails in sync
- Access your Google Drive to allow searching over your files within the Cleary platform
- Access and manage your Google Group memberships
With Google-Drive integration, you get to see the same results you would see when you’re searching in drive directly. Any file that the logged in user has access to will show up as a search result. This mirrors the privacy settings for the file in GDrive. Cleary does not access files directly, only file metadata for display purposes.
Prerequisites
- You’ll need administrator access to the Google Cloud Platform account in order to complete these instructions.
To create a service account
Step 1: Create a new google apis project
Step 2: Create a service account json file
Step 3: Enable API Scopes from G Suite Admin Console
Step 4: Send the service account json file to Cleary
Step 5: Verify it was correctly done
Debugging the integration? Skip to the end.
Step 1: Create a new google apis project
- Log in to the google apis dashboard: https://console.developers.google.com/apis/dashboard
- Create a new project for your domain. You’ll need the resourcemanager.projects.create permission.
- Name your project accordingly, we suggest ‘Cleary Integrations’
- Switch into the newly created ‘Cleary Production’ Project
- Go to the API Library and enable the following APIs:
- Admin SDK
- Google Calendar API
- Google Drive API
- Search the library for the apis and enable them:
Step 2: Create a service account json file
You can follow the instructions from google here to create a service account:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount
- Open the Service Accounts Page and select the ‘Cleary Integrations’ Project that was created earlier
- Click Create Service Account
- Fill in the name, account id, description, and click create:
- Next, Skip adding any roles, you don't need them. Click continue
- On the last step, create a new api key:
- Select json type:
This will download a json file to your computer named something like cleary-integrations-52cc83d220f5.json that should look something like this:
{
"type": "service_account",
"project_id": "cleary-integrations",
"private_key_id": "52cc83d220f5e54f15c3abd1c2f5a71fd8730c32",
"private_key": "***FILTERED***",
"client_email": "cleary-integrations@cleary-integrations.iam.gserviceaccount.com",
"client_id": "115230689846459433895",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cleary-integrations%40cleary-integrations.iam.gserviceaccount.com"
}
Also note the email of the owner: - Click done, and click back into the newly created service account page:
- Click Edit, show domain-wide delegation:
- Check the box to Enable G Suite Domain-wide Delegation. In the “Product Name for the consent screen” field, type “Cleary”:
- Back on the service account details page, note the Unique ID:
Step 3: Enable API Scopes from G Suite Admin Console
Follow the steps here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
- Open up the G Suite Admin Console.
- Open up API controls > Domain-wide Delegation
- Next to “API clients,” click “Add new.”
Client ID:
The Unique ID for the cleary-integrations service account (in our example it was: 115230689846459433895)
These API Scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/drive.metadata.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member
NOTE:
If you don’t want to enable google drive search, the https://www.googleapis.com/auth/drive.metadata.readonly scope can be omitted
If you don’t want to enable google groups management these scopes can be omitted: https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.group.readonly - Click Authorize
Step 4: Send the service account json file to Cleary
- Open the Cleary App
- Navigate to the Admin > App Integrations page
- Expand the Calendars section
- Fill in the information requested
- Press Install
Step 5: Verify it was correctly done
- First, refresh the page to make sure the app reloads with the new configuration (F5)
- Open your user profile and check for the “Schedule” widget, which should show your calendar, with at least “busy” times.
Additional Google features
For additional Google features such as Google Drive search and/or Google Groups management, ask for Cleary Support to enable it for you.
Debugging
- Check that Admin SDK and Google Calendar API are enabled in the API Library
- Check if GSuite domain-wide delegation is on.
- Check if the API scopes for admin.users.directory.readonly and calendar are enabled here.
- Did you create a new user to own the service account? Verify the user is a Super Admin.
- If the above looks correct, delete the scope and re-add it.
- Get a calendar ID from any of your company’s calendars. Try this API by passing in the Calendar ID. Oauth with the user who owns the Service Account. You should see a green 200.