You can set up automated user provisioning (autoprovisioning) so that any changes you make to user accounts in Google Workspace are automatically synced with this third-party app.
Automated user provisioning operates only on active, suspended, or deleted users. It doesn't include archived users.
Before you begin
Before you can set up automated user provisioning, you need to set up SSO for Netskope. For the steps, go to Netskope cloud app.
Set up automated user provisioning
Get API access token & add endpoint URL for Netskope- Go to your Netskope sign-in page and sign in with your Netskope administrator account.
- On the side, click Settings.
- On the side, click ToolsREST API v2.
- Click New Token.
- For Token name, enter a token name.
- Click Add Endpoint, search for SCIM, and select api/v2/scim/Users.
- For Privilege, select Read + Write.
- Click Save.
- Click Copy Token and save the access token.
You need it to complete the setup in the Google Admin console. - Click OK.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click Netskope.
- For Autoprovisioning, click Configure autoprovisioning.
- For Access token, paste the access token that you copied from Netskope.
- Click Continue.
- For Endpoint URL, replace {tenant-name} with the tenant name that you set up when you signed up for your Netskope account.
- Click Continue.
-
For App attributes, verify that all mandatory attributes—those marked with an asterisk (*)—are mapped to Google directory attributes. If not, click the Down arrow and map them to the appropriate attribute.
- Click Continue.
- (Optional) To limit autoprovisioning to specific groups of users:
- For Search groups, enter one or more letters of the group name, select the group name, and choose a scope.
- Add any additional groups.
- (Optional) To remove a group, click Remove .
If a group has users from a secondary domain or from outside of your organization, those users are not provisioned.
- Click Continue.
- Decide how long users have access to the app after the app is turned off for them or their Google Workspace account is suspended or deleted. You can hard delete their account in Netskope. You can set the time frame individually for each option and choose within 24 hours or after one, 7, or 21 days.
- Choose options for each of these settings, as needed:
- When an app is turned off for a user
- When a user is suspended from Google
- When a user is deleted from Google
If you hard delete the user account in Netskope, the account is removed from the workspace. Always set more time before hard deleting a user's account
- Click Finish.
- Choose options for each of these settings, as needed:
- Turn on Autoprovisioning.
- Click Turn on to confirm.
Edit provisioning information
Expand section | Collapse all & go to top
Edit user groups subject to autoprovisioningIf you turned on the app for certain organizational units, only users in the added groups who are also members of those organizational units are subject to autoprovisioning.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click Netskope.
- Click Autoprovisioning.
- For Provisioning scope, click Edit.
-
For Search groups, enter one or more letters of the group name, select the group name, and choose a scope.
- Add any additional groups.
- (Optional) To remove a group, click Remove .
If a group has users from a secondary domain or from outside of your organization, those users are not provisioned.
- Click Update.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click Netskope.
- Click Autoprovisioning.
- For Deprovisioning, click Edit.
- Decide how long users have access to the app after the app is turned off for them, or their Google Workspace account is suspended or deleted. You can hard delete their account in Netskope. You can set the time frame individually for each option and choose within 24 hours or after one, 7, or 21 days.
Choose options for each of these settings, as needed:- When an app is turned off for a user
- When a user is suspended from Google
- When a user is deleted from Google
- Click Update.
Turn off autoprovisioning & delete configuration information
Expand section | Collapse all & go to top
You can turn off autoprovisioning for the app without losing configuration information. Or, you can turn off autoprovisioning and remove all configuration information.
You must be signed in as a super administrator for this task.
To turn off autoprovisioning for the app and keep the configuration information:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click Netskope.
-
Choose an option:
- Turn off Autoprovisioning.
- Click AutoprovisioningStatusTurn off.
- Click Turn off to confirm.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click Netskope.
- Click Autoprovisioning.
- For Delete configuration, click Delete.
- Click Delete to turn off autoprovisioning and remove all the configuration information.
Existing users will not be removed from Netskope and can still use the app.
Review usage information
- After you turn on autoprovisioning, you can review usage information. For details, go to Monitor automated user provisioning.
- You can review the following usage information for the last 30 days:
Admin log event | Description |
---|---|
Create User By Auto Provisioning | Users created by autoprovisioning |
Update Auto Provisioned User | Users updated by autoprovisioning |
Hard Delete Auto Provisioned User | Users deleted by autoprovisioning |
Failures | Failed requests |
If autoprovisioning stops working…
Sometimes, due to account inactivity or if the admin password for Netskope changes, autoprovisioning stops working. To continue syncing user accounts in Google Workspace to the app, you need to reauthorize autoprovisioning.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click Netskope.
- Click Autoprovisioning.
- For App authorization, click Reauthorize.
- For Access token, enter the Access token from Netskope.
If you need to generate another token, follow the steps in Get API access token & add endpoint URL for Netskope (earlier on this page).
- Click Re-authorize.
For details on other reasons why autoprovisioning might stop working, refer to the app’s documentation.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.