Admin roles and privileges
The Citrix service account is used by Secure Private Access to onboard users to Chrome Enterprise Premium (CEP) and enable CEP integration. Therefore, you must assign a role with the required privileges to the service account in the Google Admin console.
Two types of roles are available in the Google Admin console:
System roles: These are the default roles provided by Google. Except for the super admin role, the remainder of the system roles does not include all the necessary privileges required for CEP integration with Secure Private Access.
Custom roles: These can include any subset of Admin API privileges. You must create a custom role that includes all privileges required for CEP integration with Secure Private Access.
You must be signed into the Google Admin console as a super administrator for this task.
Note:
Super administrator roles cannot be assigned to service accounts.
Google custom admin role privileges
For CEP and Secure Private Access integration, the Citrix service account must have a custom role in the Google Admin console with the following specific privileges:
| Required admin privilege | Why is this privilege needed |
|---|---|
| License Management > Read | To query the total number of Chrome Enterprise Premium assigned licenses provisioned for the organization. |
| Chrome Management > Settings > Managed Browsers > Read | To read the managed Chrome profiles, and the managed Chrome devices. |
|
Chrome Management > Settings > Manage User Settings
Note: Ensure you include the two child Manage Application Settings and Manage Web Settings privileges. |
To add the mandatory extensions, and configuration thereof, required for CEP and SPA integration at the user profiles.
|
|
Reports
|
To read the users that are actively using their assigned licenses.
To read the activity events when the Data Loss Prevention (DLP) rules are triggered. To read the failure events. |
| Alert Center > View access | To read the security alerts for Data Loss Prevention and the login failure events. |
|
Domain Management
Note: Only read access is required but there is no sub-privileges for read access. |
To read the customer domains, so as to set up the appropriate IAM policies in the Citrix-owned Secure Gateway.
Note: GCP IAM policies don’t provide support for an Organizational Unit principal. |
| Groups > Read | To verify that the integration groups configured are available in GCP. |
| Organization Units > Read | To verify that the organization units configured are available in GCP. |
| Manage customer > Read customer | To read the Google customer organization friendly name. |
| Manage Devices and Settings | To read device metadata so as to display them in the Monitor network topology view. |
Note:
- It is also required to grant the equivalent OAuth scopes for these admin privileges.
- All administrative privileges are now found in the Admin privileges section. This includes privileges previously listed in the Admin console privileges and Admin API privileges sections. This change does not affect how privileges are assigned, and existing privileges continue to work as they did before.
- Ensure that you select the top-level privilege Manage User Settings and the sub-privileges (Manage Application Settings and Manage Web Settings). Selecting only the sub-privileges is not sufficient.
- Citrix Secure Private Access deploys configurations to your Google account using the Citrix service account configured. After Citrix Secure Private Access and Google CEP integration is completed, open the Google Admin console and navigate to Chrome Browser > Apps & Extensions. Note that several browser extensions have been configured at the root org level. Those are inherited by the child OUs. When users onboard Google Chrome profiles with this tenant, these extensions are automatically provisioned.
Create and assign roles and privileges
Perform the following steps to create a custom admin role and assign privileges:
- In the Google Admin console, go to Accounts > Admin roles.
- Click Create new role and enter a name and description for the role.
-
Add all the privileges required for Google Chrome integration to this custom role. For the list of required privileges, see Google custom admin role privileges.
For more information related to roles and privileges, see the Google documentation.
- Save the custom role.