Definition

The "List Roles" action retrieves a comprehensive list of all the roles within a domain in Google Directory. It provides administrators with detailed information about each role, including the role's ID, name, description, and whether it is a system or super admin role. This action is essential for managing roles and their associated privileges within the Google Admin console. It helps identify the roles available in the domain and facilitates a better understanding of permissions and access control for various users in the organization.

Key capabilities of this action include:

• Fetching detailed role information for administrative purposes.
• Differentiating between system roles, super admin roles, and custom roles.
• Listing associated privileges and service IDs tied to each role.

Example Use Cases

1. Role Management in Multi-Domain Environments

   Administrators can use this action to list all roles across multiple domains in a customer account. This helps in managing user access and permissions in large organizations with diverse domains.

2. Auditing Role Privileges

   Security officers or IT auditors can use this action to retrieve the privileges associated with each role, ensuring that only authorized users have access to critical services.

3. Assigning Roles to New Employees

   HR or IT teams can use this action to quickly see available roles and assign appropriate permissions to new employees, ensuring they have the correct level of access within the organization.

4. Super Admin Role Identification

   IT administrators can identify which roles are super admin roles, ensuring they are only assigned to trusted individuals who need full administrative control.

5. Automating Role Assignments for Service Integrations

   Automated workflows can use this action to fetch roles and assign them programmatically when integrating third-party tools or services with Google Directory, ensuring smooth access control.

Inputs

1. Connection

   This refers to the connection to your Google Admin Console, allowing the action to interface with your Google Directory account. The connection is necessary for authentication and interaction with the Google Directory service.

2. Customer Id

   This is the unique identifier for the customer account within the Google Admin Console. The customer ID can be used to specify which customer’s roles to retrieve.

   Explanation: If you have a multi-domain setup or you need to fetch roles from a specific customer, use this field. You can also use the alias my_customer to refer to your own account’s customer ID.

   Best Practices: Ensure you have the correct Customer ID, especially if you're working in a multi-domain environment, to avoid errors or retrieving roles from the wrong account. To find your Customer ID, follow the steps outlined in the description.

Outputs

1. Roles

   This output will return a list of roles defined in the domain. Each role will have specific details associated with it, including its ID, name, description, and whether it’s a system or super admin role.

2. Role Id

   This is the unique identifier for each role. It can be used to retrieve or modify the role’s details programmatically.

3. Role Name

   The name of the role, which typically reflects the permissions and responsibilities associated with that role (e.g., "Admin", "Manager").

4. Role Description

   A detailed description of what the role entails. This could include the purpose of the role, the responsibilities, and what kind of access or permissions are granted to users assigned to this role.

5. Is System Role

   A boolean value indicating whether the role is a pre-defined system role by Google. If true, it means the role is built into the system (e.g., "Super Admin", "Group Admin").

6. Is Super Admin Role

   A boolean value that indicates whether the role is a Super Admin role. If true, the role has administrative access to all settings and functions within the Google Admin Console.

7. Role Privileges

   A list of privileges associated with the role. These privileges determine the actions and access a user with this role can have within the system.

   • Service Id

     An obfuscated ID of the service to which this privilege applies (e.g., Google Drive, Gmail, etc.).

   • Privilege Name

     The name of the privilege, indicating what action the role is allowed to perform (e.g., "Manage Users", "Edit Groups").

Example Scenario

Scenario: A Google Workspace administrator wants to retrieve a list of all roles in their domain and review the privileges associated with each role. This can be helpful for managing permissions and ensuring that users have the correct access based on their responsibilities.

Step-by-Step Process:

1. Setup:

   • The administrator has the Customer Id of their Google Workspace account. They will use this ID to fetch the list of roles in their domain.

2. Executing the Action:

   • Connection: The administrator connects to their Google Directory account via Zenphi, ensuring that they have the correct permissions to access the data.
   • Customer Id: The administrator provides the unique Customer Id that identifies their Google Workspace domain. This could be their organization's ID in the Admin Console (e.g., C00000000).

3. Results:

   • Once the action is executed, the administrator receives a list of all the roles available in their domain, including key details like:
     • Role Id (e.g., R1234567890)
     • Role Name (e.g., "Admin", "User", etc.)
     • Role Description (e.g., "Can manage users and groups")
     • Whether the role is a System Role or Super Admin Role (useful for distinguishing built-in roles from custom ones)
     • Role Privileges: A list of specific privileges tied to the role, such as access to Google Drive, Gmail, or Google Meet.
     • The Service Id and Privilege Name help identify which specific services or actions the role is authorized to perform.

4. Outcome:

   • The administrator now has a clear view of all roles, their descriptions, and the associated privileges, which they can use to review current role assignments, adjust permissions, or ensure compliance with organizational access policies.
   • The information can also be used for reporting purposes, ensuring that roles are properly assigned based on the principle of least privilege.

By using this action, the administrator can streamline the process of managing roles in their domain, saving time and avoiding manual tracking.