These instructions show you how to register one of your third party applications with GA Centric, set up ‘rules’ to determine which of your employees should be allowed access to them, and then how to audit any role changes that GA Centric calculates should be due.
Launching GA Centric
Go to the GA Centric application at app.gacentric.com, and login using your Google Apps domain admin user.
If this is the first time anyone in your organisation has used GA Centric, please click ‘Integrate with Google’ to authenticate the application to your domain.
Registering an App
For GA Centric to be useful you need to register at least one third party app such as Salesforce, Dropbox, or any other application used by your organisation. We already know details for some apps, but you can add your own just as easily. Adding an app to GA Centric does not affect that app in any way – you are just making a record within GA Centric saying that your organisation uses it.
Click the ‘Add New App’ button.
In the Create New App screen that follows, enter the Name of the app. You can just type the name of your app however you wish – it doesn’t matter if it doesn’t match one of the pre-defined apps in our list.
If the Url field hasn’t been automatically filled (or if you want to change it), enter the URL of the app.
You can leave the Roles box blank for now, meaning there won’t be any different roles available for different users – they will either be ‘users’ or not (i.e. have no access to the app). Alternatively, or at some point in the future, you can list the names of different roles that you allow in the app. Just enter each role on a new line.
Click submit when ready.
Creating Rules for your App
Once your app is created, you need to register a set of rules that determine who should have access to the app, and under which roles.
You can either click the big ‘Add new Rules’ button then click on your new app when prompted, or just click on the ‘Rule’ button in the Controls section where your app is listed. The latter option can be used in future to come back and edit your rules.
You should now see a ‘blank canvas’ where you can set up rules for your app. If you first logged on to GA Centric very recently, it may not yet have imported your Google Groups in which case you will be presented with a message telling you this, and you will need to reload the page later to continue.
Click ‘Add Rule’. You will see a new entry where you can specify the first rule. For example, you might select a Google Group called ‘firstname.lastname@example.org’ and specify that it should map to the ‘manager’ role in this app.
You can click ‘Add Rule’ again to specify further rules – such as the ‘Sales’ Group mapping to a role called ‘sales’ in the app.
For each user, roles are applied in the order listed here. So in our example, a user who is a member of both Developer and Sales Groups would be given the ‘manager’ role if that appears first. You can drag to reorder the rules list, or click Delete to remove one.
Finally, if no rules match for a user (i.e. they are not a member of any of the Groups you’ve specified), they will take the Default Role chosen at the bottom of the page.
Most likely, the rules you set up will already match most of the users you have for this app. Your sales users will already have the role ‘sales’ for example.
Once you have some rules for an app, GA Centric will calculate which users should have which roles. It will assume to start with that you do not already have any users in the app (which is probably not the case). So this is a good time to carry out an audit if possible. Going forward, GA Centric will monitor for any changes – e.g. users being added to Google Groups – so that it can alert you by email that their access needs to be changed within the app.
Click on the Tasks tab and you should see a list of all user roles GA Centric has calculated based on your rules.
For each user, it will list the current ‘Actual Role’ (which it will assume is ‘No Access’ to start with) and the ‘Wanted Role’ that has been calculated as the correct role. As discussed, hopefully the ‘Wanted Role’ will actually match the real current role for the user in the app, assuming your organisation has been granting access in accordance with the policies that you’ve just written down by creating the rules.
You could double-check that each ‘Wanted Role’ is correctly assigned already in the app if you have time, but in any case you need to tell GA Centric that the tasks are completed. Check the boxes to the left of any users that are correct (or click the box at the top of the table to select all) then click ‘Completed’.
If you disagree with any of the roles listed for a user, it is important to go back and change the rules to match – don’t just mark as Completed or change the role in the app itself without ensuring the the rules will map correctly when recalculating in the future.
For example, if you realise that some developers shouldn’t have the ‘manager’ role after all in this app, you should go back to edit the rules, inserting a rule for junior-developers to be mapped to a lower role. This should appear in the list above the rule mapping developers to managers. Of course an alternative approach would be to create a new Group called managers or developer-managers and ensure that maps to managers; the developers group should then appear beneath it mapping to the lower role.
It all depends how you want to set up Google Groups for your organisation, and the aim is to ensure you have a set of Groups that allow you to easily and cleanly specify rules for the access levels users should have. This way, new or promoted employees only need to be moved into the correct Groups by your Google Apps domain admin, then GA Centric will take care of calculating any access changes required in other third party apps.
Tasks arising from user changes
Going forward, GA Centric will monitor your Google Apps domain for changes. If new users are added, moved between Groups, or suspended/deleted, it will recalculate which roles the user should maintain in all third party apps for which you have registered rules.
It will send an email, to all Google Apps admins who have used GA Centric at least once, listing the calculated changes required – for example, a user ‘email@example.com’ needs to be added to Salesforce under the ‘sales’ role. All you have to do is click into GA Centric, and once you have manually added the user to Salesforce, check the box next to the user in the GA Centric task list and click Completed.
Add More Apps and Rules
Once you are happy with the Group structure used by your organisation, you can go back and add more Apps and corresponding Rules. Use the Apps and Rules tabs to do so.