G Suite is a collection of cloud apps used to connect the people in your company, no matter where they are in the world.
The Genea Access Control + G Suite integration automatically keeps your Genea employee directory in sync with your G Suite directory. Whenever you add or remove employees in G Suite, they immediately get synced to Genea so you never have to worry about your Genea employee directory being out of sync.
Note: When adding, updating or removing employees, Genea will match based upon the primary email address listed in G Suite.
1. Prepare to Enable Automated Provisioning
- Create Access Groups - You can grant permissions to specific access groups in Genea based upon your G Suite employee attributes. Please create the appropriate Access Groups in Genea based upon your specific office needs (this could reflect your G Suite organizational unit structure). For example, Employees, Contractors, and IT Admin access groups.
- Single Location vs. Multiple Locations - If you have multiple office locations enabled with Genea decide whether you’d like to sync all users to all locations, or to sync specific users per location. This will affect how you set up the integration.
- Mobile Key - Decide whether you would like to assign mobile keys to all newly boarded users by default or you want to assign them later on.
- Enable or Disable User Updates - If you are going to update user attributes (access group, role etc..) after they get synced from G Suite to Genea, please disable the "User Updates Syncing" option so that your changes don't get overidden.
2. Enable G Suite Integration
- Login to the Genea Web application and go to Integrations.
- Find G Suite and click 'Install.’
- Choose the Google account with the appropriate admin permissions. The account you choose to install must have the admin roles in G-suite
- When prompted to provide access, click “Allow.”
- Once approved, you will be redirected back to your Genea portal.
3. Configure Provisioning Rules
The very first thing you need to configure is your provisioning rules. Employee syncing will not work unless you have defined at least one rule. We have a very powerful and flexible rule engine to cater to your provisioning needs.
With provisioning rules, you can decide:
- What "door access group" each employee is assigned to in Genea.
- What "role" each employee is assigned in Genea.
- Whether newly on-boarded employees should automatically receive mobile keys.
- The office location or locations to which an employee is granted access.
Simple Provisioning Rule :
You can have just one default simple rule where every employee being synced is granted common door access and a regular user role.
For example, you can define a rule where every employee being synced from G Suite gets assigned to the "Employee" access group and to the "User" role. Later Genea admin can modify any of these user attributes by logging into their Genea admin web portal.
As you can see in the following image, you don't need to provide any conditions to define such a simple default rule.
Advanced Provisioning Rules
If need be, you can get more advanced with the rule engine so that you do not have to worry about updating any of the user attributes manually in Genea.
As shown below, based upon your "Organizational Units," you can sync specific employees to specific locations. You can also assign different door access groups based upon your departments. And so on...
Additionally, you can also drag these rules up or down which sets its rule priority.
You can add various conditions in a single rule as shown below. You can either choose the "match all" conditions or "match any" condition option.
You can choose any of the following G suite user attributes to define your rule's conditions.
4. Initial User Import
One you have configured your rules, you can choose to perform a one time initial import from G Suite to Genea. This is not needed if you have already been using Genea and all of your employees are already synced. If needed, you can click "Import Users" to begin importing all of your users, or you can click "No" if this step is not necessary.
5. User Updates Flags
While setting up your G Suite integration, you may choose to enable or disable certain user updates from G Suite to Genea.
If your integration set-up includes a few basic and/or broad rules, or if you plan on changing user attributes manually within Genea after users have been synced via G Suite, we recommend disabling the ‘Override Roles on Update’ and ‘Override Access Groups on Update’ update flags. If enabled, these User Update flags may override manual changes made to your users’ roles and/or access groups in Genea.
Delete User If No Rules Match: if changes have been made to a user’s profile within G Suite that no longer qualify them for any of your integration rules, the user will be deactivated within Genea. IMPORTANT NOTE: This flag will only come into play during directory updates. If you deactivate or suspend a user within your directory, the user will automatically be deactivated within Genea, regardless of whether this User Update flag is enabled or not.
IMPORTANT NOTE: If your integration does not include a specialized rule for provisioning system administrators, we recommend disabling the ‘Override Roles on Update’ flag as system administrator privileges may be revoked for existing administrators during updates. To avoid losing administrative privileges while keeping this flag enabled, we recommend creating a specialized rule within your integration that will provision system administrators. Ensure that this rule is placed first within your rule priority list so that system administrators will be provisioned first, then remaining users will be matched to the following rules accordingly.
If you choose to automatically assign users mobile keys in your provisioning rules, newly on-boarded employee will be greeted with a Genea welcome email. The email will include instructions on how to create their account, as well as how to download and activate their mobile key.
When an employee gets "suspended" or "deleted" from G Suite, it will immediately deactivate the user's account in Genea and all of their credentials (mobile keys and physical keycards) will become deactivated too. This ensures that unauthorized users will not have access to your property.
If you need assistance or have any questions about this integration, please feel free to reach out to us at firstname.lastname@example.org