Documentation
Start typing to search…

Google Directory

Definition

The Google Directory trigger in Zenphi allows you to automatically start a flow based on specific user-related events in your Google Workspace Directory. It listens for actions such as when a user is created, deleted, suspended, has their password changed, recovery email updated, or gains/loses admin privileges — and much more.

This trigger is especially powerful for automating IT and security operations, compliance processes, or onboarding/offboarding workflows. Once set up, it continuously monitors Google Admin activity logs (via the Audit API) and initiates a flow when a matching event occurs.

Key capabilities include:

  • Real-time detection of user-related events in your organization’s Google Directory.
  • Admin-focused monitoring, useful for enforcing security policies (e.g., password changes or privilege updates).
  • Highly customizable filtering using event parameters and customer IDs.
  • Compatible with Conditional Run to restrict flow execution to specific types of events or users.
  • Requires a Google Audit Report Connection, ensuring secure access to your organization's admin logs.

This trigger is ideal when you want to build smart automations that react to user activity in your Google Workspace — whether to notify, log, or take follow-up actions based on those events.



Example Use Cases

Auto-Notify on Admin Privilege Changes

Trigger a flow when admin privileges are granted or revoked from a user, sending an alert to the security or IT team.Useful for maintaining security visibility and auditing privilege escalations.

User Onboarding Process

Start an onboarding workflow when a new user is created. This can automatically generate tasks like setting up accounts, assigning devices, or sending welcome emails.

Automated Offboarding

Trigger a flow when a user is suspended or deleted to revoke access from systems, deactivate tools, and archive files.Ensure compliance and data security when employees leave.

Alert on Recovery Email or Phone Changes

Use Conditional Run to start the flow only when recovery methods are modified. Notify admins to verify legitimacy and prevent suspicious account takeovers.

Sync Directory Changes with Other Systems

Trigger flows that update user information in third-party systems like CRM, Slack, or HR tools when user details change in Google Directory.

Audit-Specific Event Monitoring

With Conditional Run, trigger flows only for selected events (e.g., password changed) or users (e.g., VIP accounts) to maintain high-risk user audit trails.

These examples show how the trigger can help automate routine IT processes and enhance security response using Zenphi’s low-code platform.



⚙️ Configuration

Setting

1. Connection

**What it is:**The Connection is how Zenphi securely connects to your Google Workspace environment to receive directory audit logs.

**Why it matters:**Zenphi uses this connection to listen to the Admin Audit Reports from Google. You must select or create a Google Workspace Audit Report connection with sufficient permissions to read these logs.

Setup Tip:

  • Use an account with admin privileges.
  • The connection is managed from the Connections page in Zenphi.

2. Event

**What it is:**This dropdown lets you select which type of user-related event will trigger your flow.

Available Events and Descriptions:

EventDescription
Admin Privileges GrantedTriggered when a user is given administrative privileges.
Admin Privileges RevokedTriggered when admin rights are removed from a user.
Gmail Account ResetTriggered when a Gmail account is reset (e.g., after suspension).
Password ChangedTriggered when a user’s password is updated.
Recovery Email AddedTriggered when a recovery email is added to a user account.
Recovery Email ChangedTriggered when the recovery email is changed.
Recovery Email RemovedTriggered when the recovery email is removed.
Recovery Phone AddedTriggered when a recovery phone number is added.
Recovery Phone ChangedTriggered when a recovery phone number is changed.
Recovery Phone RemovedTriggered when a recovery phone number is removed.
Security Key RegisteredTriggered when a physical security key is linked to an account.
Security Key RevokedTriggered when a registered security key is revoked.
User ArchivedTriggered when a user is archived.
User CreatedTriggered when a new user is created.
User DeletedTriggered when a user account is permanently deleted.
User SuspendedTriggered when a user is suspended.
User UnarchivedTriggered when an archived user is restored.
User UndeletedTriggered when a previously deleted user is restored.
User UnsuspendedTriggered when a suspended user is reactivated.

**Tip:**You can create multiple flows with different events if you want to handle them differently (e.g., one flow for suspensions and one for password changes).

3. Filters

**What it is:**An optional field where you can write conditions to limit when the trigger should activate. Filters allow more granular control over the events by targeting specific parameters.

🛠 How to write filters

Use comma-separated conditions with this format:

<parameter><operator><value>

Common operators:

  • ==, !=
  • >, <, >=, <=

You can also use logical operators by writing separate filter expressions with commas (acts like AND) or by using OR in your filter expression (based on Google API syntax) ([developers.google.com][1]).

🗃️ Supported filter parameters

These correspond to the trigger’s outputs/token names:

  • event_name – Trigger only on specific events
  • user_email – Target a particular user
  • actor_email – Filter by admin or system user who performed the action
  • actor_type – e.g., only when an admin (ADMIN) performs the action
  • owner_domain – Useful if you manage multiple domains

For example:

event_name==USER_SUSPENDED,[email protected]

This filter runs the flow only when Jane Doe's account is suspended.

🚨 Important Notes

  • Make sure to use exact event identifiers from Google’s Reports API. For instance, use SUSPEND_USER rather than “User Suspended” ([cloud.google.com][2], [stackoverflow.com][3]).
  • Keep filters simple and test them — incorrect filters can prevent the trigger from firing.
  • Filters are combined with AND logic by default; you can use OR for alternate paths if needed .

✅ Examples

FilterDescription
event_name==PASSWORD_CHANGEDRuns whenever any password is changed
event_name==ADMIN_PRIVILEGES_GRANTED,[email protected]Only when John is granted admin rights
actor_type==ADMIN,owner_domain==mydomain.comOnly run flows triggered by admins in your primary domain

🔎

Note: Learn More About Filters

The Filters field uses the query syntax defined by Google’s Admin SDK Reports API. You can specify conditions using supported parameters such as doc_id, new_value, event_subtype, and others, combined with relational operators like ==, !=, and contains.

For a complete list of available fields, their meanings, and query structure, you can refer to the official Google documentation:

👉 Google Admin SDK Reports API – Activities: list

This reference is especially useful if you're looking to apply advanced filtering logic to capture specific user activity or audit events.


4. Customer ID

**What it is:**The unique identifier of your Google Workspace customer. This is usually auto-populated when you create a valid connection.

**Why it matters:**Zenphi uses this ID to fetch audit logs relevant to your Workspace domain.

**Tip:**If you are managing multiple domains or reselling, make sure to input the correct customer ID associated with the intended Google Workspace account.


⚙️ Conditional Run

Conditional Run allows you to control when the flow should start based on specific conditions from the Google Directory event. If the conditions aren’t met, the flow will be skipped — even if the event occurs.

This is useful when you only want to respond to certain actions, like when a specific user is suspended or when changes are made by a particular admin.

🔁 How It Works

When enabled, you can define one or more rules using AND/OR logic. Each condition consists of:

  • Condition Type

    • When: Run the flow only if the condition is true.
    • Except When: Skip the flow if the condition is true.

  • Value to EvaluateChoose a value from:

    • Trigger Outputs — e.g. Event Name, User Email, Actor Type, etc.
    • Vaults — secure values like internal emails or domain restrictions.

🔐 Vaults are managed under Settings → Vaults and provide a secure way to reference sensitive values during runtime. Vault values are hidden and cannot be edited within flows.

  • OperatorChoose how to compare the value (e.g. Equals, Not Equals, Is Null, Greater Than, etc.)

  • Comparison ValueThis could be a manual value, another token, or a Vault reference.

🧠 Example Conditions

  • Run the flow only when Event Name = USER_SUSPENDED
  • Skip the flow except when Actor Email = [email protected]
  • Run only if User Email is not null
  • Compare a trigger output with a Vault-stored admin email

This lets you target very specific audit events, helping your automation respond only to relevant user actions.


📤 Outputs

When this trigger is activated (i.e., when a selected Google Directory event occurs), it generates a set of outputs. These outputs contain valuable information about the event, which can be used throughout your flow — whether for sending notifications, updating records, or applying logic using Conditional Run.You can access all these outputs using the Token Picker in any action across the flow, or reference them in Conditional Run rules to filter when the flow should execute.Below are the available outputs and how you might use them:***

1. Event Name

  • Description: The name of the specific Google Directory event that triggered the flow.
  • Example: USER_SUSPENDED, PASSWORD_CHANGED, USER_CREATED
  • Use Case: Route your flow differently based on the type of event. For example, send an HR notification only when USER_CREATED.***

2. Event Time

  • Description: The exact time when the event occurred in your Google Workspace domain.
  • Example: 2025-06-13T08:45:23.000Z
  • Use Case: Include the event timestamp in an email log, or check whether the event occurred within business hours.***

3. Actor Email

  • Description: The email address of the user who performed the action.
  • Example: [email protected]
  • Use Case: Track which admin made a change, or create an audit log with responsible parties.***

4. Actor Type

  • Description: The role of the person who triggered the event — typically an ADMIN, USER, or SYSTEM.
  • Example: ADMIN
  • Use Case: Add conditions like "only continue if the actor was an ADMIN", useful in compliance or internal policy flows.***

5. User Email

  • Description: The email address of the user who was affected by the event.
  • Example: [email protected]
  • Use Case: If a user is suspended, this field tells you who was suspended — ideal for triggering onboarding/offboarding tasks.***

6. Owner Domain

  • Description: The domain of the user impacted by the event.
  • Example: yourcompany.com
  • Use Case: Helpful when managing multiple domains or environments and wanting to apply specific flows per domain.***

7. Event Unique Qualifier

  • Description: A unique string to differentiate events that occur at the exact same time. Useful for handling multiple similar events.
  • Example: abc123def456
  • Use Case: Store this ID in logs or databases to ensure event traceability and avoid duplication.***

🧠 Example Usage in Flow

These outputs can be:

  • Inserted into notifications (e.g., "Admin {{Actor Email}} suspended {{User Email}} at {{Event Time}}")
  • Logged into spreadsheets or databases for auditing
  • Used in Conditional Run to only proceed when Event Name equals "USER_DELETED" or Actor Type is "ADMIN"***


Example Scenario

Automated Offboarding Notification

Let’s say your IT team wants to get notified every time a user account is suspended in Google Workspace (e.g., when an employee leaves the company).

You can set up a flow using the Google Directory trigger with the Event set to USER_SUSPENDED. In the flow, you can then send a message to the IT team via email or Slack, including details like the suspended user's email, the admin who performed the action, and the timestamp.

You can also add a Conditional Run rule to only trigger the flow if the action was done by an ADMIN, or if the user’s email belongs to a specific domain (e.g., @yourcompany.com).

This way, your team stays informed and can quickly act on important account status changes — without checking logs manually.

Updated about 7 hours ago