Skip to main content
Google Directory Sync integration tile

Overview

Google Directory Sync provides automatic user and group provisioning from Google Workspace into Rootly. Unlike SCIM (which relies on push events from an identity provider), Google Directory Sync periodically polls the Google Admin Directory API to keep your Rootly organization in sync with your Google Workspace directory.
Google Directory Sync and SCIM are mutually exclusive — you cannot enable both on the same organization. If you currently use SCIM for provisioning, disable it before enabling Google Directory Sync.

Features

  • User provisioning — Users in your Google Workspace directory are automatically added as members in Rootly, including first name, last name, email, and phone numbers.
  • User deprovisioning — Users who are suspended or deleted in Google Workspace are automatically removed from Rootly.
  • Group sync — Selectively sync Google Groups to Rootly Groups, keeping membership up to date.
  • Role assignment — Assign Rootly roles based on Google Group membership.
  • Phone number sync — Google Workspace phone numbers are synced to Rootly, critical for on-call routing.
  • Periodic polling — Automatic sync runs approximately every 30 minutes to detect changes.
  • Manual sync — Trigger an immediate sync from the Rootly dashboard at any time.
  • Audit logging — All sync operations (users added, removed, updated, groups changed) are logged.
  • Mass deletion safeguard — Prevents accidental mass deprovisioning if partial API results are returned.

Requirements

  • A Google Workspace account with admin access
  • One of the following authentication methods:
    • OAuth consent flow — Recommended for smaller organizations. Uses a familiar Google sign-in flow.
    • Service account with domain-wide delegation — Recommended for enterprise organizations with strict admin policies.

Setup

Navigate to Integrations in your Rootly dashboard, find Google Directory Sync, and click Setup.
Google Directory Sync setup dialog

Option A: OAuth Authentication

  1. Navigate to Integrations in your Rootly dashboard.
  2. Find Google Directory Sync and click Connect.
  3. Click Sign in with Google to initiate the OAuth consent flow.
  4. Sign in with a Google Workspace admin account and grant the requested permissions:
    • admin.directory.user.readonly — Read user directory
    • admin.directory.group.readonly — Read group directory
    • admin.directory.group.member.readonly — Read group memberships
  5. Once authorized, you’ll be redirected back to Rootly with the integration connected.

Option B: Service Account Authentication

Use this method if your organization requires service accounts or restricts OAuth consent flows.
  1. Create a service account in Google Cloud Console:
    • Navigate to IAM & Admin > Service Accounts.
    • Click Create Service Account, give it a name (e.g., rootly-directory-sync).
    • Click Done (no additional roles needed at the project level).
    • Click on the created service account, go to Keys > Add Key > Create new key > JSON.
    • Download the JSON key file.
  2. Enable domain-wide delegation:
    • In the service account details, click Show Advanced Settings.
    • Copy the Client ID.
    • In Google Admin Console, navigate to Security > Access and data control > API controls > Domain-wide delegation.
    • Click Add new and enter the Client ID.
    • Add the following OAuth scopes: 
      https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
    • Click Authorize.
  3. Configure in Rootly:
    • Navigate to Integrations > Google Directory Sync.
    • Select Service Account as the authentication method.
    • Upload the JSON key file.
    • Enter the impersonation email — this must be a Google Workspace admin user’s email address that the service account will impersonate.
    • Click Save and Test Connection to validate credentials.
The impersonation email must belong to an active Google Workspace admin. If this user is suspended or deleted, syncing will stop. Use a dedicated service account admin user that won’t be deactivated.

Configuring Sync

User Sync

User sync is enabled by default once the integration is connected. Rootly will:
  • Create memberships for new users found in Google Workspace.
  • Update user attributes (name, email, phone numbers) when they change.
  • Remove memberships when users are suspended or deleted in Google Workspace.

Group Sync

  1. Navigate to Integrations > Google Directory Sync in your Rootly dashboard.
  2. Click the Groups tab.
  3. Choose to either select specific groups or sync all groups from your directory.
  4. If selecting specific groups, use the search box to find groups by name, then check the ones you want to sync.
  5. Click Save.
Google Directory Sync group selection
Only selected groups will be synced — unselected groups are ignored entirely.

Role Assignment

Roles can be assigned based on Google Group membership:
  1. Under the Group Sync section, find the group you want to configure.
  2. Select a Rootly Role to assign to members of this group.
  3. Optionally select an On-Call Role for on-call scheduling.
  4. Members added to the Google Group will automatically receive the assigned roles in Rootly.

Sync Status & Monitoring

The Sync tab displays the current sync status for both users and groups, including last sync time, result summary, and error counts.
Google Directory Sync status dashboard

Manual Sync

Click Sync Now to trigger an immediate sync without waiting for the next scheduled run.

Audit Logs

All sync operations are logged and visible under the sync history section. Each log entry includes:
  • Timestamp
  • Operation type (user created, user removed, group updated, etc.)
  • Affected user or group
  • Success or error status

Troubleshooting

Common Issues

IssueCauseResolution
”403 Forbidden” during setupImpersonation email doesn’t have admin privilegesEnsure the impersonation email belongs to a Google Workspace admin
Users from secondary domains not syncingIntegration is using domain filter instead of customer parameterContact Rootly support to verify configuration
Sync shows 0 usersService account scopes not properly delegatedRe-check domain-wide delegation settings in Google Admin Console
”Mass deletion safeguard triggered”Google API returned partial results that would remove a large number of usersThis is a safety feature. Check Google Workspace status and retry. Contact support if persistent.
Phone numbers not syncingPhone fields not populated in Google WorkspaceEnsure users have phone numbers set in their Google Workspace profile

Getting Help

If you encounter any questions or difficulties with Google Directory Sync, please contact Rootly support at support@rootly.com.