G Suite is a suite of intelligent apps, including Gmail, Docs, Drive, and Calendar, designed to help your team communicate, store information, and create.
With the Sapling <> G Suite integration, you can:
Assign a company email address to a new hire when onboarding
Automatically set up an employee's G Suite account with the information from the new hire’s employee record
Assign an employee's G-Suite Organizational Unit (OU) and Group
Immediately suspend an employee's G Suite account during the termination process
Accounts can be reactivated by IT admins, however the email cannot be accessed whilst suspended.
All of the activities taken by Sapling are tracked and recorded in the Admin console audit log.
Important to note: Currently Sapling does not support a Sapling <> G Suite data sync for existing employee attributes. We can only sync data for new employees who have been onboarded via Sapling.
To work around this:
Setup a custom report on field changes that you care about being updated in G Suite, and have IT check in on that report to confirm changes in Sapling took effect in G Suite
Before integrating with G Suite, make sure you have
Admin or Account Owner permission status in Sapling
Obtained administrator access on your G Suite domain to set up the integration.
If your administrator access is revoked in the future, your integration will stop functioning.
This Integration Guide is split into two sections:
The User Experience
How does Sapling set-up the account during Onboarding?
How does Sapling suspend the account during Offboarding?
Setting up the G Suite integration
Ensure API Access is enabled in your Google Admin
Enable the G-Suite integration in Sapling
Part 1: The User Experience
1a: How does Sapling set-up the account during Onboarding?
When onboarding an employee in Sapling, confirm the company email address - this will be based on the G-Suite account you have integrated and will become a required field.
When entering the new hire’s company email in step 1 of the onboarding flow “Create Profile”, Sapling will verify that the email address is available for use.
Leaving the company email blank means Sapling does not set-up the company email or G-suite account.
Additionally, Sapling allows users to create G-Suite Organizational Units (OUs) and Groups to control what services and features are available to whom in the company (e.g. one OU might have access to YouTube while another does not).
To select the new hire's OUs and Group, scroll down to Google Organizational Unit and Groups and make a selection from the drop-down list.
*Note: If your Google Admin makes updates to your internal OUs/Groups, Sapling will refresh what options are displayed during onboarding every 24 hours.
At the end of the new hire onboarding flow (step #5 - “Send Invite”), Sapling will provision the G-Suite Account when the New Hire onboarding event is confirmed.
Sapling sends the following information to the G-Suite profile:
Company Email (primary email)
Personal Email (secondary email)
The New Hire will then receive a notification to their secondary email (personal email) at the time specified by the Onboarding Admin informing them of access their G-Suite account (this is based on the time setting in your Company’s General Settings).
Three important things to note:
If this time has already passed (i.e. they started today), this email will be sent immediately.
You can send the 'Getting started instructions' ahead of time, which can be collected from G-Suite account once provisioned
Once the G-Suite account has been scheduled after completing onboarding, admins will not be able to edit the time specified nor can they delete the G-Suite account before it’s provisioned by Sapling
The person who Onboarded the new hire (typically the Program Lead) will be Bcc’d on this email to ensure visibility on the workflow.
When the new hire logs into their Company G-Suite Account, they will be prompted to create a new password.
The new hire will then have access to their company email inbox.
How to set password requirements?
In your Google Admin console (at admin.google.com)...
On the left, select the organizational unit where you want to set the password policies.For all users, select the top-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an organization inherits the settings of its parent organization.
In the Strength section, check the Enforce strong password box.Strong passwords use a mix of letters, numbers, and symbols, and should not be common or previously used.
In the Length section, enter a minimum and maximum length for your users' passwords. It can be between 8 and 100 characters.
(Optional) To force users to change their password, check the Enforce password policy at next sign-in box.If you don’t check this option, users with weak passwords can access your organization’s Google services until they decide to change their password.
(Optional) To allow users to reuse an old password, check the Allow password reuse box.You cannot set the password history that Google reviews to prevent reuse.
In the Expiration section, select the period of time after which passwords expire.
Click Override to keep the setting the same, even if the parent setting changes.
If the organizational unit's status is already Overridden, choose an option:
Inherit—Reverts to the same setting as its parent.
Save—Saves your new setting (even if the parent setting changes).
Make sure to also give your users tips for creating a strong password.
1b: How does Sapling suspend the account during Offboarding?
During the offboarding flow, Sapling can disable an employee's G Suite account.
Part 2: Setting up the G Suite integration
There are two steps in the set-up process and takes approximately 5 minutes:
2a: Ensure API Access is enabled in your Google Admin
The first step is to ensure that API access is enabled within G Suite directly.
You will need to have administrator permissions on the Google Account you want to link in order to set up the integration. Additionally, you will need to ensure you have enough Google licenses, otherwise user creation will fail.
As a Google Administrator, login to Google’s Admin console (https://admin.google.com) and ensure API access is enabled in your G-Suite Account.
To verify that it is enabled, login to your admin account and select Security> App access control > Manage third-party app access.
If Security is not listed, select More Controls > Security from the options shown in the gray box.
On the security page, select API Controls or App Access Control, and then select the checkbox to Manage third-party app access
Then select Configure New App> Oauth App Name or Client Id
Then search Sapling HR and select Sapling HR, which has client ID
Then select on Trusted. Can access all Google Services >Configure
2b: Enable the G-Suite integration in Sapling
When logged in as a Sapling Account Owner, navigate to Admin > Integrations and you’ll see the integration widget.
Click Add and you will be presented with a pop-up requiring the Organization URL of your company’s G-Suite domain (without the www.). By clicking Save, you’ll then be prompted to authorize your account.
Click Authorize.Google will then ask you to confirm that Sapling can provision and delete users on your domain.
Once G Suite and Sapling are synced, the G Suite app will be shown as Authorized in your account.
You can disable the G Suite <> Sapling sync at any time by clicking it and selecting “Unauthorize”.
Enforcing Multi Factor Authentication
2-Step Verification adds an extra layer of security to your users' G Suite accounts by requiring them to enter a verification code in addition to their username and password when signing in to their account.
It can be enabled for your domain in your Security Settings.
To ensure 2FA on new accounts generated by Sapling, you’ll need to ensure 2FA is turned on in your advanced security settings.
If you need more licenses for a Google service, how you add them depends on how you signed up for your service and your plan type (G Suite only).
This article contains information on how to get more licenses.
Security & Auditing
All of the activities taken by Sapling are tracked and recorded in the Admin console audit log.
To view a log of events in your Google Admin Account, navigate to reports.
Here you can select ‘Admin’ to see a list of activities occurring in your company’s Google Admin account, as well as the associated user and IP Address.
Frequently Ask Questions
Start Date Changes
What happens if the new hires start data changes?
As Sapling provisions the account and schedules the email notification as time of onboarding, any subsequent changes are not updated between Sapling and G-Suite - hence changes in start dates must be managed manually in the current integration.
Our Gmail accounts are provisioned with different access levels. Once they are created, can the accounts be updated like they would if we provisioned them on our own?
This is typically managed by the IT Admins directly in G-Suite. We only send location, department, manager, etc.
When terminating an employee, if we wanted account access to be shut off at different times, is that possible? I.e. sometimes 5pm on the day of termination is too late or too early.
This is something Sapling is currently investigating for our Partners.
Personal and Company Emails
Sapling can send both the personal and company email to our Google Admin Account which then appear in the Global Address book. How to disable sending personal email?
Can we can it sent, but hide the personal email from being viewed?
Yes - please see the 'Turn on the Directory and set sharing options' in this link
There are a few options to manage this, but we believe the best is: 'Only show email addresses on the user's primary domain'