For configuring provisioning , you will need access to Platform configuration console.

1. Open the Administration area (a gear symbol).
2. Open Connectors view.
3. Choose "New connector" 

4. Select Data Source type to be Generic REST API

5. Give name for the connector and add connection settings:

• Connector name - give your connector a friendly name (name can be changed afterwards)
• Host url - base url for REST API. https://admin.googleapis.com/admin/directory/v1/ This can be used as prefix for final url to be called. 
• REST Connector type - select Google
• Scopes - set scopes based on what Google APIs you are going to call from this connector. Scopes for users, groups and permissions are https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.group.member
• Credentials JSON file content - After you have configured Google side, you can get there json file. Copy paste all content of that file to this attribute.
• Delegated user - user on behalf this connector connects to Google. It is suggested to use technical user here, for example igagoogle@yourdomain.com
• Pagination Type - select Link Attribute Token
• Pagination Link token - nextPageToken
• URL Attribute name - pageToken

6. Fulfill WebAPI user information

• WebAPI user - select correct WebAPI user which is used when writing data from external system to Matrix42 Core, Pro and IGA solutions
• WebAPI password - password for the WebAPI user

8. Save connector information

9. Add Google root https certificate to be trusted by Connector management (EPE). This can be done only by Matrix42: Add certificate. Google root certificates can be found from https://pki.goog/repository/ 

10. Matrix42 Core, Pro and IGA solution is now able to connect to Google

• Next step is to configure scheduled task for data read or event task for data writing and actions towards Google. 

In this chapter we add example scheduled task to read users and users group memberships from Google. 

Note! If you want to also read Google Groups as datacards to ESM, you need to create another Generic Scheduled Task for that.

1. Add Scheduled task under correct Connector, by clicking “New Task”

2. Set Task attributes

Scheduling - Set scheduling if needed

Task name - Set informative name

Task usage - Scheduled

Mapping type - Generic Template

Query - Query depends on what Google API endpoint you want to call, to fetch data. See Google documentation for correct API url and parameters. Remember to set correct domain attribute based on your Google domain.
In this example we fetch users using: users?domain=yourdomain.com

Sub Queries - You can add subqueries if you want to read more data related to resultset returned by actual Query. In this example we use subquery to fetch users group memberships: groups?userKey={id}

Query headers - for Google we need to add these headers:
Accept / application/json
Content-Type / application/json

Value Marker - in this case users (correct value depends on what api you are calling)

Error Marker - set this to error

Safety threshold for API calls - suggested to be set twice as big as how many pages this API will return. If you leave it empty there is no safety threshold and then Connector can go to infinite loop if there is error in configuration.

Unique Attribute - Unique attribute on API resultset. In this case id

3. Fill in failure information

Optional settings for failure handling, if scheduled task fails it can create data card to ESM that displays the error. If failure settings are defined, the administrator does not need to manually check the status of scheduled tasks.

• Failure template - Select a Template of datacard which will be created in case of any errors during provisioning (connection to data sources, timeouts, etc.)
• Failure folder - Select folder where failure data card is stored.
• Failure attribute - Select an attribute where in the Failure Template should the error information be stored in. Select text type attribute.

4. Fill in Generic mappings information

In mappings section you configure which attribute from JSON message is read to which attribute on Matrix42 Core, Pro and IGA datacard.

• Target template - Select a template to define attribute mappings (in this example IGA Account as we are fetching users/accounts)
• Target folder - Select a folder from a list of folders. The list is narrowed down to match compatibility with selected Template. (in this example Accounts)
• Data Source Type mapping - optional. If it is set, it writes connectors type to that attribute.
• Task Id mapping - Task id number is written to this attribute. Correct attribute to choose depends on how your Template is configured.
• Set value to datacard fo object deleted from source system - This functionality is activated by setting checkbox on. When some object that was previously read from 3rd party system to solution is deleted from 3rd party system. This scheduled task notices that is was deleted and marks that datacard selected attribute with value you want. This can be for example used to set Status attribute to Deleted. This Attribute name and Attribute value needs to be set based on how your Template is configured. 

• Attribute mappings
  1. External attribute - which attribute from the Google API is read from JSON body
  2. Local attribute - to which attribute in Matrix42 Pro and IGA attribute is mapped to
• Add attributes to attribute mappings, by choosing New attribute
• You need to add mapping also to Unique Attribute, in this example it is id. That needs to be mapped to unique attribute on template, in this example Directory identifier.
• First mapping on this example mapping table below uses subquery to map users group memberships to multiValueField attribute. Other mappings are for main query user attribute mappings. For that to work, you need to have Subquery: groups?userKey={id} 
  In subquery {id} is dynamic variable, which in this case points to main query resultset id attribute. Mapping for that subquery, to fetch id's of groups which one user belongs: 
  groups?userKey={id}.groups[*].id where actual JSONPath is this part on the end: groups[*].id
• See supported mapping syntaxes: https://docs.efecte.com/configure-connectors/jsonpath-mappings-for-generic-rest-api-connector 

5. Save provisioning task from the Save button. 

If some required attributes are missing the save button is displayed as grey and it will display what is missing from the settings.

6. You have now configured scheduled-based connector task

• You can now wait until task is started based on scheduling or
• Run task manually - by clicking the “Run Task” button on top of task edit window, task is configured to be scheduled to start immediately. Usually for test runs or if you don't want to change the schedule settings, but want to run the task now.   

Example of manual task run starting message:

If task is executed manually (run task) or it is run according to scheduling, task status can be reviewed from Scheduled tasks list manage column, by clicking “View history” button.

Here is basic example of Event task and Orchestration node, which are used to create new user to Google. In production usage you need to design what all attributes are needed to be set to new user.

1. Add Event-based task under correct Connector, by clicking “New Task”

2. Set attributes to task

Task name - descriptive unique name
Task usage - Event
Mappings type - Generic Template
Query - url for the API you want to call. In this example we leave it empty, as we set url on Workflow orchestration node. Final API url to call is constructed by concatenating connector url, this query url and orchestration node REST URL.

Query headers - for Google we need to add these headers:
Accept / application/json
Content-Type / application/json

Date Attribute formatter - set correct format if you are provisioning date attributes

DateTime Attribute formatter - set correct format if you are provisioning datetime attributes

Set Generic Mappings

Target template - template from which Workflow you are going to call this task
Target folder - folder for your data

No not set attributes to mapping table (external attribute - local attribute). Attribute mapping is done on workflow orchestration node.

3. Save task

4. Create Orchestration node to your workflow, to call this event-based task

Orchestrate - Provisioning Engine
Data Source - Generic REST API
Activity - Generic REST call
Target - Create google user (your event-based task name)
Action - In this example POST as we are creating user to Google
REST URL - in this example users as we are creating users to Google
REST Body - you can generate API call body directly here. Or in more complicated cases generate it separately (in script node) to some attribute, and then us that attribute here. In this case body to create user is created directly here, using firstname and lastname attribute code variables. 
Body what we use here, is very simplified example. In production usage you need to design what all attributes you want to set to new users.
{
 "name": {
   "givenName": "$firstname$",
   "familyName": "$lastname$"
 },
 "password": "$randompassword$",
 "primaryEmail": "$firstname$.$lastname$@mydomaincom"
}

REST Response attribute - response of API call will be stored to this attribute. In this example it will contain created users data as json.

import json

if onPremisesExtensionAttributes:
  _data = this.get("onPremisesExtensionAttributes")
  _obj = json.loads(_data)
  _value = _obj["extensionAttribute14"]
  this.set("extensionAttribute14code",_value)

Provisioning exception - if there is issue with API call, exception will be stored to this attribute

Finalize your workflow other nodes and flow

Save workflow and Publish it

5. Test Workflow and Event-based task

Restrictions in 2025.3

More than 1 level of subqueries for scheduled tasks are not supported, for performance reasons.