Restricting Service Account Access
It is possible to restrict access to Cronofy to a subset of users and resources within your organization. This is configured using Google’s Organizational Units.
Configuring Organisational Units #
In this example we will create an Organizational Unit, named “Resource”, as a child resource of our root domain:
In order to authorize the application to use the Organizational Unit, a user must be created within this Organizational Unit. This user must be configured to be granted the following admin privileges:
- For the Organizational Unit we created:
- Admin API > Users > Read
- For all Organizational Units:
- Admin API > Domain Management
This can be achieved by assigning each privilege via a distinct custom role:
Restricting access to the Cronofy Application #
At this stage the Cronofy application should be installed for the domain. If Cronofy has not been installed yet, please see our Enterprise Connect for G-Suite documentation.
After installing the Cronofy Application at the root domain level, we can restrict access so only the users in our Organisational Unit have access to Cronofy. This will block access to Cronofy for all users outside of the specified Organizational Unit.
Start by going to the Cronofy Application on your Google domain.
The next step is to configure overridden access for our Organizational Unit to allow access to the application. This can be done by changing the Service Status to “On”.
Cronofy still makes use of domain-wide delegation, but will be sandboxed within the Organizational Unit. When authorizing the Google Service Account with Cronofy, the newly created user must be used when linking.
After this process has been completed, any user accounts which should have access to Cronofy must be placed within the Organizational Unit. By default, all resources will be accessible and they can be linked.
Further reading #
For more information on Organisational Units, see Google’s documentation “Turn on or off a G Suite Marketplace app for users”.
For an overview on organization structures within G-Suite, see Google’s documentation “How the organizational structure works”.