►
Description
Source of Truth: Auto-Populating Your G-Suite Users and Permissions in Cloud Foundry [I] - Colleen Briant, Google
Managing your GSuite and Cloud Foundry users has never been so easy! With the development of a new integration from Google, GSuite users and their permissions are automatically propagated to your Cloud Foundry foundation. This talk will show you how to integrate your GSuite users and groups into your Cloud Foundry auth and permissions structure, including best practices for using LDAP groups and SSO.
A
Hi
guys
I'm
Colleen
I'm
from
Google
I've,
been
with
Google
for
exactly
one
year
in
one
day.
Actually,
yesterday
was
my
anniversary.
Thank
you
and
I
work
on
a
team
that
specializes
in
open
source
integrations
with
Google
cloud
platform,
so
you
might
have
seen
my
work
on
the
GCP
service
broker,
but
today
I'm
here
to
talk
to
you
about
a
new
integration
that
we're
exploring.
This
is
under
development,
but
still
very
much
in
flux.
Still
looking
for
a
lot
of
feedback
in
terms
of
is
this
a
product?
A
A
However,
in
terms
of
most
of
the
permissions
that
your
user,
your
Cloud
Foundry
developers
are
going
to
use
day-to-day,
those
are
managed
through
the
cloud
controller
api's,
which
is
commonly
abbreviated
as
capi.
So
these
are
two
distinct
systems.
You
add
a
user
through
UA
as
well
as
through
copy,
but
then
managing
the
different
sets
of
permissions
or
different
pieces
of
information.
You
have
to
go
from
one
system
to
the
other,
so
it's
does
pose
some
limitations
and
may
can
make
some
things
a
little
more
difficult
to
administer.
A
So,
having
worked
in
an
enterprise
organization
before
we
know
that
onboarding
and
just
permissions
day-to-day
can
be
hard
and
complex.
So
there's
a
situation
that
I
thought
some
of
you
might
be
able
to
relate
to
so,
let's
say:
Nancy's
a
new
developer
at
your
company,
so
your
HR
person
will
add
an
entry
for
her
in
his
tool,
which
is
usually
synchronized
to
another
system
so
that
she
can
get
her
G
suite
account
all
set
up.
A
A
That'll
pull
that
information
in
so
then
logs
for
that
action
will
just
go
into
the
LDAP
server
and
you
know
during
onboarding
you
get
that
document
that
says
how's
the
checklist
of
everything
that
you
should
have
permission
to,
that
you
should
set
up
your
system
with
so
during
her
onboarding
Nancy
is
gonna,
find
oh
I
need
to
have
a
Cloud
Foundry
account
made
for
me,
and
I
need
to
have
access
to
these
orgs
and
spaces
that
my
team's
gonna
work
on.
So
then
Nancy
will
probably
go
to
her
p.m.
A
and
her
PM
will
create
her
an
account
and
maybe
I,
add
her
to
everything
that
Nancy
requests.
But
those
documents
are
never
complete.
So
a
few
weeks
later
and
Nancy's
gonna
find
something
that
was
left
out
and
she's.
Probably
at
this
point,
just
gonna
go
to
her
team
lead
and
her
team
lead
will
be
able
to
give
her
access
directly
through
Kathy
to
whatever
spaces
or
orgs.
She
was
missing
and
again
these
logs
are
continuing
to
be
kind
of
scattered
across
the
disparate
systems.
A
A
So
her
old
PM
removes
her
and
her
new
PM
goes
through
the
and
team
Lee
go
through
the
same
set
of
actions,
so
they're
kind
of
adding
things
in
different
places,
but
it's
very
reasonable
to
think
that
somebody
might
forget
to
remove
her
access
to
her
old
orgs
and
spaces.
So
you're
kind
of
left
with
the
logs
are
scattered
across
these
different
systems.
A
A
A
There
is
something
known
as
google
cloud
directory
sync,
that's
the
box
to
the
right
of
the
LDAP
box,
and
so
that's
gonna,
pull
from
the
LDAP
server
and
propagate
LDAP
groups
as
Google
Groups
into
G
suite,
and
then
the
application
that
I'm
working
on
is
simply
labeled
sink
next
to
G.
Suite
and
that's
gonna
do
a
very
similar
thing:
pull
from
G
suite
and
propagate
to
both
Kathy
and
UA
a
so
this
step
to
where
Nancy
sysadmin
adds
her
to
the
LDAP
server,
actually
kind
of
takes
care
of
some
of
the
other
steps.
A
So
her
PM
no
longer
needs
to
create
her
an
account
and
add
her
to
orgs
and
spaces.
Now
the
LDAP
groups
will
take
care
of
that
themselves.
Excel
gets
synced
into
G
suite
and
then
synced
into
both
system
and
then
the
logs
for
that
will
be
consistent
because
they'll
be
both
available
in
the
sync
applications,
as
well
as
in
each
of
the
individual
systems.
A
So
if
you're
looking
for
a
complete
set
of
actions,
you
can
go
straight
to
the
sync
system
to
look
for
everything
together
and
then
again,
when
the
permissions
need
to
be
updated,
you
don't
have
to
go
into
the
individual
systems
at
Nancy's
p.m.
can
just
add
her
to
a
new
google
group
and
that'll.
Take
that
same
set
of
actions
to
add
her
to
the
appropriate
orgs
and
spaces,
or
give
her
the
appropriate
permissions
in
copy
or
UAE
or
both.
A
And
then
you
get
the
nice
consistency
of
when
Nancy
switches
teens.
Her
p.m.
removes
her
from
the
Google
Groups
that
correspondent
to
her
old
team
and
that'll
propagate
that
set
of
permissions
through,
so
that
you
can
be
sure
that
only
the
people
who
are
supposed
to
have
access
to
those
orcs
and
spaces
are
the
ones
that
do.
A
A
So
the
way
that
you
would
use
this
application
is
you
just
do
a
config
before
the
application
runs
to
create
a
mapping
of
your
Google
Groups
to
a
set
of
roles,
orgs
and
spaces
within
Cloud
Foundry.
So,
for
example,
you
could
have
a
like
finance,
dove's
group,
that
maps
to
you
should
have
space
developer
in
the
finance
org
and
a
finance
DEP
space,
or
something.
A
And
then,
when
the
application
first
starts,
it's
going
to
read
that
mapping
and
do
a
sync
both
to
make
sure
that
it's
caught
up
on
users
and
groups
that
exist
within
Google
and
to
make
sure
that
it's
caught
up
on
that
config.
So
it's
gonna
read
everything
from
Google
diff
it
with
everything
in
Cloud,
Foundry
and
then
apply
the
appropriate
transformations
and
then
just
during
the
course
of
normal
application,
running,
there's
gonna
be
a
listener.
A
So
I
just
have
a
quick
demo
of
the
user
import
functionality,
so
I
have
a
G
suite
account
set
up
and
you
can
see.
I
have
two
users
there,
but
in
my
Cloud
Foundry
users
list
there
is
only
one
entry
and
that's
my
admin
user,
so
I'm
just
gonna
surround
the
program,
so
you
can
see
it's
pulling
users
from
Google
and
it
found
these
two
right
here
pulled
in
their
information.
Hold
users
from
Cloud
Foundry
only
found
one,
which
was
the
admin
user.
A
A
So
this
is
a
pretty
quick
talk.
To
be
honest,
this
is
all
that
I
have
to
present
to
you
right
now,
so
I
would
love
to
take
any
questions
now
or
I'll
just
stick
around
afterwards.
If
this
sounds
interesting
again,
this
is
very
much
up
to
the
community
to
see
what
kind
of
features
you
would
need
so
come
talk
to
me.