About Google Workspace
Google Workspace (formerly G Suite) provides email, calendar, drive and directory services for organisations. Connecting Google Workspace to Serval lets you automate common admin tasks, enforce security policies and modify user data directly inside Serval workflows.What the Google Workspace integration enables
| Capability | Connection Method | Description |
|---|---|---|
| Access Management | OAuth or Service Account | Create, update, and manage users and their permissions |
| Automation workflows | OAuth or Service Account | Manage groups, and organizational data. Create aliases, manage settings, and more |
| Knowledge Base Sync | Service Account only | Automatically sync and index Google Drive content (Docs, Sheets, Slides) for semantic search |
| Gmail Delegation | Service Account only | Manage email delegation settings |
Choose your connection method
We offer two different configuration mechanisms for Google Workspace:- Standard OAuth integration:
- Simple integration process
- Suitable for basic user and group management
- No domain-wide delegation required
- Service Account integration:
- More manual configuration required
- Full control over scopes and permissions
- Required for advanced APIs (e.g., Gmail delegation APIs)
- Enables domain-wide delegation
.png?fit=max&auto=format&n=GwC92x9foS4UfJjd&q=85&s=d8e5cea2677dd8fec6a82b280102f859)
Service Account Integration Setup
Step 1: Create Google Cloud Project and Service Account
- Navigate to console.cloud.google.com and login
- Create a new project:
- Click “Select Project” → “New Project”
- Choose any name for your project
.png?fit=max&auto=format&n=GwC92x9foS4UfJjd&q=85&s=e5549a6d1aaeeb77539d5a04817f2fb4)
.png?fit=max&auto=format&n=GwC92x9foS4UfJjd&q=85&s=4370a212f136af9e2c9cad71f380a6b3)
- Create a service account:
- Navigate to “Credentials” → “Create Credentials” → “Service Account”
- Name your service account and create it (other fields optional)
.png?fit=max&auto=format&n=GwC92x9foS4UfJjd&q=85&s=338efdccc4ac83d7400aff7e67b59ffd)
Step 2: Enable Required APIs
Critical: Enable the required APIs in your Google Cloud project:- Navigate to “APIs & Services” → “Library”
- Search for and enable the following APIs:
- Admin SDK API (required for user and group management)
- Gmail API (required for Gmail operations)
- Google Drive API (required for Drive file operations)
- Google Sheets API (required for Sheets operations)
- Click “Enable” for each API
Step 3: Configure Service Account Permissions
Grant Serval permission to impersonate your service account:- Go to your service account → “Permissions” tab → “Grant Access”
- Add principal:
[email protected] - Assign role: “Service Account Token Creator”
.png?fit=max&auto=format&n=GwC92x9foS4UfJjd&q=85&s=ff5a433b571c2fd777e1fa3d6b9abe50)
.png?fit=max&auto=format&n=GwC92x9foS4UfJjd&q=85&s=bce91a89b2b5627879a6c2a906238a31)
Step 4: Configure Domain-Wide Delegation
-
Get your service account’s Client ID:
- Go to your service account → “Details” page
- Copy the “Client ID” (long numeric string, e.g.,
116634191637610572786)
-
Configure in Google Workspace Admin Console:
- Navigate to admin.google.com → “Security” → “Access and data control” → “API controls” → “Manage Domain Wide Delegation”
- Click “Add New”
- Enter your service account’s Client ID
- Add the required scopes based on your needs:
- Click “Authorize”
.png?fit=max&auto=format&n=GwC92x9foS4UfJjd&q=85&s=aadaa61e581835afe0d7c1c13072f642)
.png?fit=max&auto=format&n=GwC92x9foS4UfJjd&q=85&s=c771cde9244b1587b214167f503810b0)
https://www.googleapis.com/auth/cloud-platform scope is required for impersonation.
Scope capabilities:Admin Directory:
https://www.googleapis.com/auth/admin.directory.user- Manage users in your domain (@https://www.googleapis.com/auth/admin.directory.user)https://www.googleapis.com/auth/admin.directory.group- Manage groups in your domain (@https://www.googleapis.com/auth/admin.directory.group)https://www.googleapis.com/auth/admin.directory.group.member- Manage group memberships (@https://www.googleapis.com/auth/admin.directory.group.member)https://www.googleapis.com/auth/apps.groups.settings- Manage group settings (@https://www.googleapis.com/auth/apps.groups.settings)
https://www.googleapis.com/auth/gmail.settings.basic- Manage basic Gmail settings (@https://www.googleapis.com/auth/gmail.settings.basic)https://www.googleapis.com/auth/gmail.settings.sharing- Manage Gmail delegation settings (@https://www.googleapis.com/auth/gmail.settings.sharing)
https://www.googleapis.com/auth/calendar- Full access to Google Calendar (@https://www.googleapis.com/auth/calendar)
https://www.googleapis.com/auth/drive- 🔑 Required for Knowledge Base sync - Full access to Google Drive fileshttps://www.googleapis.com/auth/drive.metadata- 🔑 Required for incremental sync - Access to file metadata for change detection
https://www.googleapis.com/auth/spreadsheets- Full access to Google Sheets (@https://www.googleapis.com/auth/spreadsheets)
Step 5: Organization Policies (Optional)
Only complete this step if you received domain restriction errors in Step 3.- Navigate to Google Cloud Console → Organization Policies
- Search for
iam.allowedPolicyMemberDomains - Select “Domain Restricted Sharing” → “Manage Policy”
- Select “Override Parent’s Policy” and “Merge with Parent”
- Click “Add a rule” → “Custom” → “Allow”
- Enter
C04gvbkucas the custom value - Save the policy
.png?fit=max&auto=format&n=1gfWe52bLpPA-o-L&q=85&s=08511478eeb82d26609d6e8af133bb27)
.png?fit=max&auto=format&n=1gfWe52bLpPA-o-L&q=85&s=c9a79280679f542ec437b6f5864d0402)
.png?fit=max&auto=format&n=1gfWe52bLpPA-o-L&q=85&s=65790d8c335b8cc405bf989a5e52c6da)
- Request access from your Organization Administrator
- Contact your Google Cloud Administrator
- Use a different Google Cloud project where you have admin rights
Complete Integration Setup
After completing the service account setup:- Return to Serval → “Apps” → “Available” → “Google Workspace” → “Connect”
- Enter the required information:
- Google Workspace domain: Your organization’s domain (e.g.,
company.com) - Service Account email: Your service account’s email address
- Default subject: An admin user in your domain (e.g.,
[email protected]) - Scopes: The comma-separated list from Step 4
- Google Workspace domain: Your organization’s domain (e.g.,
- Click “Save”
Knowledge Base Sync
Once your Google Workspace integration is configured with the Drive API scopes, you can enable knowledge base synchronization to make your Google Drive content searchable within Serval.What Gets Synced
Serval automatically syncs and indexes the following Google Drive content types:- Google Docs - Full text content converted to markdown
- Google Sheets - Exported as CSV and converted to markdown tables
- Google Slides - Slide text content as markdown
- Folders - Folder hierarchy for organization (no content to index)
Not supported yet: - Files from other formats (PDF, Word, etc.) are not
currently synced - Comments and suggestions within documents - Revision
history
How Sync Works
Initial Sync:- Serval discovers all accessible Google Drive files and folders
- Downloads and converts supported file types to searchable markdown
- Creates embeddings for semantic search
- Maintains folder hierarchy for organization
- Serval automatically detects changes to synced files using the Drive Changes API
- Only modified files are re-downloaded and re-indexed
- The
drive.metadatascope enables efficient change detection
Required Scopes for Knowledge Base Sync
At minimum, you need these scopes for knowledge base functionality:Managing Your Knowledge Base
After enabling sync:- Navigate to your Google Workspace app in Serval
- Go to the “Knowledge Source” tab
- Click “Sync” to start an initial sync
- Monitor sync progress and view synced items
- Toggle individual items’ visibility to control what’s searchable
Sync frequency: Incremental syncs run automatically every few hours to
detect changes. You can manually trigger a sync at any time.
Troubleshooting Knowledge Base Sync
“Failed to list Drive files” error:- Verify the
driveanddrive.metadatascopes are configured in domain-wide delegation - Check that the Drive API is enabled in your Google Cloud project
- Ensure your default subject user has access to the files you’re trying to sync
- Check folder permissions - Serval can only sync files accessible to the default subject user
- Verify files are of supported types (Docs, Sheets, Slides)
- Check that files aren’t in the Trash
- Initial syncs can take time for large Drive accounts (hundreds of files)
- Consider implementing folder filtering to limit scope
- Incremental syncs after the initial sync are much faster
Troubleshooting
Common Setup Issues
If you encounter errors during setup, verify these configurations:| Component | Verification |
|---|---|
| APIs Enabled | Google Cloud Console → APIs & Services → Enabled APIs |
| Service Account Permissions | Service Account → Permissions → Verify [email protected] has “Token Creator” role |
| Domain-Wide Delegation | Google Workspace Admin Console → Security → API Controls → Verify Client ID is listed |
Error Messages and Solutions
”impersonate: status code 401: unauthorized_client”
Missing: Service account permissionsFix: Complete Step 3: Configure Service Account Permissions
”Admin SDK API has not been used in project [PROJECT_ID] before or it is disabled”
Missing: API enablementFix: Complete Step 2: Enable Required APIs
”Client is unauthorized to retrieve access tokens using this method”
Missing: Domain-wide delegationFix: Complete Step 4: Configure Domain-Wide Delegation
”Domain restricted sharing policy”
Missing: Organization policy configurationFix: Complete Step 5: Organization Policies
Getting Help
If you continue to experience issues:- Verify all steps in the setup process are complete
- Wait 10-15 minutes for Google services to propagate changes
- Check that your default subject user has admin privileges in Google Workspace