Onboarding a GCP application in Britive

Perform the following steps for adding a GCP tenant application to Britive:
Before onboarding the application, ensure that you have completed the prerequisites mentioned in the section Prerequisites for GCP onboarding.

1. Login to Britive with administrator privileges.
2. Click Admin -> Application and Access Profile Management.
3. From the Tenant Applications page, click on CREATE APPLICATION.
4. On the Add Application page, click Add (+) sign inline to the GCP application.
5. In the Application tab, enter the following values:
   1. Enter the Application Name.
   2. Enter the Application Description, if required.
   3. Under Account Mapping, you can choose the username or email mapping, to map the username or user email with the GCP account, respectively. You can also choose the default setting No mapping, as per your requirement.
6. Click Next. The Settings tab is displayed,
7. In the Settings tab, enter the following values.
   1. Check Console in the Credential Type.
   2. (Optional) Select Programmatic Access as Credential Type if CLI credentials need to be generated during profile checkout.
   3. Check Display programmatic access keys to allow the user to copy the credentials to the clipboard after they check out programmatic access profiles. Users can only access the keys through CLI or scripts if the option is not selected.
   4. Enter the following details in the Connection Properties:
      1. Enter the Organizations Unique Identifier of your Google domain.
      2. Enter the email address of the custom user created in the Google Cloud Directory Sync (GCDS).
      3. Copy and paste the JSON of the service account key (credentials) generated when the service account was created.
      4. (Optional) Enter the Project ID where temporary service accounts (CLI credentials) need to be created. This is required only if Programmatic Access is selected.
      5. Enter the custom console URL in the Login URL, if required.
      6. Enter your Customer ID in Google Workspace Account Settings.
   5.  Enter the following details in the SSO Settings section:
      1. Check Enable SSO to enable SSO.
      2. Replace {domain} with the primary domain from Google Workspace in the Audience field.
      3. Replace {domain} with the primary domain from Google Workspace in the ACS URL field.
   6. Enter the following details in the Account Mapping section:
      1. Select Use another domain for account mapping if the email domain of Britive users is different from primary domain in Google workspace.
      2. Enter the domain of the Britive Users in the Email Domain of Britive Users field.
      3. Enter the domain from Google Workspace in the Primary Domain in Google Workspace field. 
   7. Select one of the following from the Scan Options:
      • Scan users and groups: Select this option if users and groups need to be scanned.
      • Scan all folders and projects: Select this option if Britive needs to scan all folders and projects at the Organization level.
      • Scan projects only: Select this option if Britive should scan a subset of projects to which it has been granted access.
      • Scan external users and groups: Select this option if Britive should scan all the external users and groups that are members of the existing internal groups. This also includes service accounts that have been deleted from GCP but still exist in Google Workspace under group memberships.
        Note: Either option Scan all folders and projects or Scan projects only has to be selected.

   8. Profile Settings: Configure the maximum session duration for profiles. You can select the duration between 15 minutes to 7 calendar days. This allows to setup expiration duration for each profile while creating/updating the profile up to this configured value. If existing profiles are created with more than 12 hours and the above setting is changed, then it cannot be lowered until all profiles are updated with a lower expiration duration.

8. Click Save and Test. If the GCP application is configured with correct values, then a success message is displayed.