Documentation
Start typing to search…

List Role Assignments

Definition

The "List Role Assignments" action in Google Directory allows you to retrieve a list of all role assignments within your Google Workspace domain. This action provides details about which roles are assigned to users or service accounts and the scope of their assignments (e.g., specific organization units or the entire domain). Key capabilities include retrieving the role ID, assignment ID, assigned entity (user or service account), scope type, and organization unit details, helping administrators effectively manage and audit role-based permissions across their domain.


Example Use Cases

1. Auditing Role Assignments

Administrators can use this action to fetch a comprehensive list of all roles assigned within the organization. This is useful for periodic audits to ensure roles are appropriately assigned and no unauthorized roles are granted.

2. Managing Access Control

In an organization with multiple departments, this action helps identify which roles are assigned to users within specific organizational units (OU). This can help streamline access control and ensure the right people have the right permissions.

3. Role Compliance Monitoring

Ensures compliance by checking if specific users or service accounts have been assigned the correct roles per security or regulatory requirements.

4. Troubleshooting Permission Issues

When a user reports insufficient access to certain resources, administrators can use this action to verify their role assignments and scope, helping to quickly resolve the issue.

5. Role Assignment Reporting

Generate reports on role assignments across the organization, useful for management to assess who has which privileges and ensure they align with organizational policies.


Inputs

1. Connection

The connection to your Google Workspace account, required to authenticate and allow access to Google Directory data. It is necessary to establish a secure link before any data can be retrieved.

2. Customer Id

The unique ID associated with your Google Workspace account (e.g., C00000000). This ID identifies your specific customer account within the Google Admin console.

  • Explanation: Use this field to fetch data specific to your Google Workspace environment. For multi-domain accounts, use the my_customer alias for the current customer account. To find the Customer ID, follow the steps provided in the documentation.

Outputs

1. Role Assignments

The list of role assignments retrieved from Google Directory. It includes detailed information about the roles assigned to different entities within your organization.

2. Role Id

The unique ID of the role being assigned. This is used to identify the specific role in the directory and can be used in further requests to manage or view additional details about the role.

3. Role Assignment Id

The unique ID of the role assignment. This ID is used to identify the specific instance of the role assignment, allowing you to reference or update it when necessary.

4. Assigned to

The unique ID of the entity to whom the role is assigned. This could be a userId (user account) or a uniqueId (service account) that indicates who or what the role is applied to.

5. Scope Type

Defines the scope at which the role is assigned. The role could be applied to:

  • CUSTOMER: The role is assigned at the customer level, meaning it applies to the entire Google Workspace environment.
  • ORG_UNIT: The role is specific to an organizational unit within the Google Workspace account.

6. Org Unit Id

If the role is restricted to an organizational unit (OU), this field contains the unique ID for that organizational unit. This ensures that the role assignment is specific to users or resources within that OU.


Example Scenario

Situation:
Imagine you are an administrator in a large organization using Google Workspace. You are responsible for managing roles and their assignments within different organizational units (OUs). Your task is to retrieve all the roles assigned within your customer account and identify which users have specific roles like "Manager" or "Admin" in various organizational units.

Steps:

  1. Setting up the Action:

    • Input: You configure the Customer Id for your organization, which can be obtained from the Admin console (following the instructions in the Inputs section).

  2. Running the Action:

    • You execute the List Role Assignments action to retrieve all role assignments within your organization.
    • The action queries the system and pulls out the roles assigned to users, service accounts, and groups.

  3. Results:

    • You get a detailed list of role assignments, including the Role Id, Assigned To (user or service account), and Scope Type (whether it’s customer-wide or restricted to a particular organizational unit).
    • You are able to see which Org Unit Id a role is assigned to, allowing you to filter and focus on specific units within your organization.
    • You can review the Role Assignment Id to identify which roles need updating or reassigning.

  4. Use Case:

    • For example, you want to see who has the "Manager" role in the Sales department. You filter the Scope Type to ORG_UNIT and specify the Org Unit Id of the Sales department. This shows you all users with the "Manager" role in that specific unit.

  5. Outcome:

    • By reviewing the role assignments, you can quickly identify if any users need additional permissions or if there are any discrepancies in role assignments across different OUs.
    • This allows for effective management of user roles, ensuring that the correct users have appropriate access to resources.

This scenario helps you understand how the List Role Assignments action can simplify managing roles and permissions within your organization. It makes it easier to audit and control access across organizational units, ensuring that the right people have the right level of access.

Updated 8 days ago