The below steps will ensure that Tricent has the required APIs and permissions enabled to work correctly on your Google Workspace domains.
You will need to complete the following seven steps:
- Create admin role for Directory lookups and Shared Drives inventory and cleanup
We know it looks like a bit of a mouthful, but most steps are pretty simple, and all of it is detailed step-by-step in the below sections.
1. Create a new Google Cloud Platform project for Tricent
1.1 While logged on as a Google Workspace Admin open the Google Cloud Platform console at
1.2 In the top menu, click the dropdown Select a project.
1.3 Click New Project.
1.4 Give your project a name that makes sense to you in Project name. For instance, "Tricent for Google."
1.5 If you don’t have a Billing account, go ahead and create one. You will not be charged for any resources the Tricent application uses on your Google Workspace domain. This is simply a formal requirement from Google.
1.6 Click CREATE to finish setting up the new project.
2. Enable Google Drive and Admin SDK APIs in the new project
2.1 Whilst logged on as a Google Workspace Admin in Google Cloud Platform, open
2.2 Click the blue ENABLE button - while ensuring that you are in the newly created project.
2.3 Whilst logged on as a Google Workspace Admin open console.cloud.google.com/apis/library/admin.googleapis.com
2.4 Click the blue ENABLE button - while ensuring that you are in the newly created project.
3. Add the Tricent application to your Google Workspace domain
3.1 Log into admin.google.com with a super admin account.
3.2 Expand the Security section, and then Access and data control and click API controls.
3.3 Click the Manage Third-party app access section on the right-hand side of the menu content.
3.4 Under Configured apps, click the Add app dropdown and select the OAuth App Name Or Client ID option.
3.5 In the search field, enter Tricent and click SEARCH.
3.6 Click Select in the Tricent Compliance Tools entry.
3.7 In Client ID, select the two client IDs:
and click the Select button.
3.8 Now tick Trusted: Can access all Google services and click Configure.
3.9 Back in the Configured apps list, you should now see two client IDs as Trusted, if you search for Tricent in the filter menu.
3.10 Go to the main App Access Control section again at admin.google.com/ac/owl
3.11 Click the Manage Domain Wide Delegation link in the bottom panel.
3.12 In the top menu, click Add new.
3.13 In the Add a new client ID popup menu, enter the following values.
On the Client ID line
On the OAuth scopes line (including commas)
https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.metadata.readonly, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile
3.14 Then click the Authorize button.
3.15 Back at the API clients menu, click Add new once more and add the following values
On the Client ID line
On the OAuth scopes line (including commas)
3.16 Click the button Authorise.
4. Create admin role for Directory lookups and Shared Drives inventory and cleanup
It is important to note that this account needs to be fully licensed in order to perform all the required actions. By default, an account with Super Admin role cannot be used for this purpose as it does not have the necessary API permissions.
Please follow the steps below to create a custom admin role with the exact permissions required and assign a standard user account to the custom admin role.
This account will also, by default, be used for the inventorying and cleanup automation on Google Shared Drives. The Google Drive API requires that the account is a member of the Shared Drives to accomplish this. Hence, it is good to name it, so you are never in doubt about what the account is used for.
REMEMBER: The Tricent lookup account for Directory lookups and Shared Drives adds itself as a manager member to each Shared Drive in your Google Workspace domain.
4.1 Whilst logged on as a Google Workspace Super Admin, go to admin.google.com/ac/roles.
4.2 Click the Create new role button.
4.3 Enter a name (we suggest Tricent Technical Account) for the Tricent directory lookup account role and a description.
4.4 Click Continue.
4.5 In the Admin API privileges section, expand the Organization Units, Users, and Groups drop-downs and select the Read checkbox.
4.6 Scroll to the bottom and check the Domain Management (this also automatically checks Domain Settings) and Domain Allowlist Read boxes.
4.7 In the Admin Console Privileges section, expand the Services section, scroll to the Drives and Docs sub-section, and tick Settings.
4.8 Click Continue.
4.9 Verify your selections are correct - as shown below - and click Create role.
5. Create a user, add the newly created admin role, and log into the account
5.1 Go to Directory and then Users.
5.2 Click Add new user.
5.3 Fill out the user creation form. Below is an example, but you can name the account to your liking.
5.4 Click Add new user once you are happy with the form. Please remember that the user needs a paid license on the above account - at minimum, a Business Standard.
5.5 Find the newly created Tricent user in your Google Workspace Directory and click the account link.
5.6 Click the Admin roles and privileges section.
5.7 Find the custom admin role you created earlier and assign it to the user.
Please note! Even though the account is only used for API directory lookups and Shared Drive scanning, we highly recommend that you protect it with 2-step verification using Google Authenticator app or preferably a hardware Security Key.
5.8 Click Save.
5.9 Finally, please log in with the account to activate it.
6. Add app.tricent.com to allowlisted domains
6.1 Go to admin.google.com/ac/domains/allowlisted and click Add domain.
6.2 Enter “app.tricent.com” in the Add domains input form and click Add and then Save.
6.3 Validate that the Allowlisted domain is added.
7. Send us your technical details
7.1 Final step is to reply to the welcome email we sent you with the following five pieces of information:
- Your 9-digit Google Workspace ID. You find it at admin.google.com/ac/security/ssocert. It is shown after the ?idpid= suffix under SSO URL. The ID is case-sensitive.
- The Tricent directory lookup account that you created in section 5 - the format is user@domain
- Your main Google Workspace DNS Domain. You find it at admin.google.com/ac/domains/manage. It is your Primary domain we are looking for.
- The Super Admin accounts you want to be added to the Tricent tool when we onboard you. The format is user@domain
- Your organization name. Your choice on this one. The organization name you give us here will appear in the sender name of the notification emails that Tricent sends to your users. Just before "Drive Compliance Tool".
All data sent to us is handled in accordance with our DPA, which is available at tricent.com.
Thanks. You've done your part for now.
We'll start setting up our end of the connection and will contact you once everything is ready.