Configure Netskope user provisioning

 

You can set up automated user provisioning (autoprovisioning) so that any changes you make to user accounts in Google Workspace are automatically synced with this third-party app.

Automated user provisioning operates only on active, suspended, or deleted users. It doesn't include archived users.

Before you begin

Before you can set up automated user provisioning, you need to set up SSO for Netskope. For the steps, go to Netskope cloud app.

Set up automated user provisioning

Expand section  |  Collapse all

Get API access token & add endpoint URL for Netskope
  1. Go to your Netskope sign-in page and sign in with your Netskope administrator account.
  2. On the side, click Settings.
  3. On the side, click Toolsand thenREST API v2.
  4. Click New Token
  5. For Token name, enter a token name.
  6. Click Add Endpoint, search for SCIM, and select api/v2/scim/Users.
  7. For Privilege, select Read + Write.
  8. Click Save.
  9. Click Copy Token and save the access token.
    You need it to complete the setup in the Google Admin console.
  10. Click OK.
Set up autoprovisioning for app

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.
  3. Click Netskope.
  4. For Autoprovisioning, click Configure autoprovisioning.
  5. For Access token, paste the access token that you copied from Netskope.
  6. Click Continue.
  7. For Endpoint URL, replace {tenant-name} with the tenant name that you set up when you signed up for your Netskope account.
  8. Click Continue.
  9. For App attributes, verify that all mandatory attributes—those marked with an asterisk (*)—are mapped to Google directory attributes. If not, click the Down arrow  and map them to the appropriate attribute.

  10. Click Continue.
  11. (Optional) To limit autoprovisioning to specific groups of users:
    1. For Search groups, enter one or more letters of the group name, select the group name, and choose a scope.
    2. Add any additional groups.
    3. (Optional) To remove a group, click Remove .

      If a group has users from a secondary domain or from outside of your organization, those users are not provisioned.

  12. Click Continue.
  13. Decide how long users have access to the app after the app is turned off for them or their Google Workspace account is suspended or deleted. You can hard delete their account in Netskope. You can set the time frame individually for each option and choose within 24 hours or after one, 7, or 21 days. 
    1. Choose options for each of these settings, as needed:
      • When an app is turned off for a user
      • When a user is suspended from Google
      • When a user is deleted from Google

      If you hard delete the user account in Netskope, the account is removed from the workspace. Always set more time before hard deleting a user's account

    2. Click Finish
  14. Turn on Autoprovisioning.
  15. Click Turn on to confirm.

Edit provisioning information

Expand section  |  Collapse all & go to top

Edit user groups subject to autoprovisioning

If you turned on the app for certain organizational units, only users in the added groups who are also members of those organizational units are subject to autoprovisioning.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.
  3. Click Netskope.
  4. Click Autoprovisioning.
  5. For Provisioning scope, click Edit.
  6. For Search groups, enter one or more letters of the group name, select the group name, and choose a scope.

  7. Add any additional groups.
  8. (Optional) To remove a group, click Remove .

    If a group has users from a secondary domain or from outside of your organization, those users are not provisioned.

  9. Click Update.
Edit deprovisioning time frames

 You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.
  3. Click Netskope.
  4. Click Autoprovisioning.
  5. For Deprovisioning, click Edit.
  6. Decide how long users have access to the app after the app is turned off for them, or their Google Workspace account is suspended or deleted. You can hard delete their account in Netskope. You can set the time frame individually for each option and choose within 24 hours or after one, 7, or 21 days.
    Choose options for each of these settings, as needed: 
    • When an app is turned off for a user
    • When a user is suspended from Google
    • When a user is deleted from Google
    If you hard delete the user account in Netskope, the account is removed from the workspace. Always set more time before hard deleting a user's account.
  7. Click Update.

Turn off autoprovisioning & delete configuration information

Expand section  |  Collapse all & go to top

You can turn off autoprovisioning for the app without losing configuration information. Or, you can turn off autoprovisioning and remove all configuration information.

Turn off autoprovisioning

You must be signed in as a super administrator for this task.

To turn off autoprovisioning for the app and keep the configuration information:

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.
  3. Click Netskope.
  4. Choose an option:
    • Turn off Autoprovisioning.
    •  Click Autoprovisioningand thenStatusand thenTurn off.
  5. Click Turn off to confirm.
Turn off autoprovisioning & delete configuration information

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.
  3. Click Netskope.
  4. Click Autoprovisioning.
  5. For Delete configuration, click Delete.
  6. Click Delete to turn off autoprovisioning and remove all the configuration information.
    Existing users will not be removed from Netskope and can still use the app.

Review usage information

  • After you turn on autoprovisioning, you can review usage information. For details, go to Monitor automated user provisioning.
  • You can review the following usage information for the last 30 days:
Admin log event Description
Create User By Auto Provisioning Users created by autoprovisioning
Update Auto Provisioned User Users updated by autoprovisioning
Hard Delete Auto Provisioned User Users deleted by autoprovisioning
Failures Failed requests

If autoprovisioning stops working…

Sometimes, due to account inactivity or if the admin password for Netskope changes, autoprovisioning stops working. To continue syncing user accounts in Google Workspace to the app, you need to reauthorize autoprovisioning.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.
  3. Click Netskope.
  4. Click Autoprovisioning.
  5. For App authorization, click Reauthorize.
  6. For Access token, enter the Access token from Netskope.

    If you need to generate another token, follow the steps in Get API access token & add endpoint URL for Netskope (earlier on this page).

  7. Click Re-authorize.

For details on other reasons why autoprovisioning might stop working, refer to the app’s documentation.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu