Admin roles and privileges
The Citrix service account is used by Secure Private Access to onboard users to Chrome Enterprise Premium (CEP) and enable CEP integration. Therefore, you must assign a role with the required privileges to the service account in the Google Admin console.
Two types of roles are available in the Google Admin console:
System roles: These are the default roles provided by Google. Except for the super admin role, the remainder of the system roles does not include all the necessary privileges required for CEP integration with Secure Private Access.
Custom roles: These can include any subset of Admin API privileges. You must create a custom role that includes all privileges required for CEP integration with Secure Private Access.
You must be signed into the Google Admin console as a super administrator for this task.
Note:
Super administrator roles cannot be assigned to service accounts.
Google custom admin role privileges
For CEP and Secure Private Access integration, the Citrix service account must have a custom role in the Google Admin console with the following specific privileges:
| Required admin privilege | Why is this privilege needed |
|---|---|
| Manage customer > Read customer | To read the Google customer organization friendly name. |
| Organization Units > Read | To verify that the organization units configured are available in GCP. |
|
Services > Chrome Management > Settings > Manage User Settings
Note: Ensure that you select the top-level privilege Manage User Settings and the sub-privileges (Manage Application Settings and Manage Web Settings). |
To add the mandatory extensions, and configuration thereof, required for CEP and SPA integration at the user profiles.
|
| Services > Chrome Management > Settings Managed Browsers > Read | To read the managed Chrome profiles, and the managed Chrome devices. |
| License Management > Read | To query the total number of Chrome Enterprise Premium assigned licenses provisioned for the organization. |
|
Reports
|
To read the users that are actively using their assigned licenses.
To read the activity events when the Data Loss Prevention (DLP) rules are triggered. To read the failure events. |
| Groups > Read | To verify that the integration groups configured are available in GCP. |
| Services > Alert Center > Full access > View access | To read the security alerts for Data Loss Prevention and the login failure events. |
| Manage Devices and Settings | To read device metadata so as to display them in the Monitor network topology view. |
Note:
- It is also required to grant the equivalent OAuth scopes for these admin privileges.
- All administrative privileges are now found in the Admin privileges section. This includes privileges previously listed in the Admin console privileges and Admin API privileges sections. This change does not affect how privileges are assigned, and existing privileges continue to work as they did before.
- Ensure that you select the top-level privilege Manage User Settings and the sub-privileges (Manage Application Settings and Manage Web Settings). Selecting only the sub-privileges is not sufficient.
- Citrix Secure Private Access deploys configurations to your Google account using the Citrix service account configured. After Citrix Secure Private Access and Google CEP integration is completed, open the Google Admin console and navigate to Chrome Browser > Apps & Extensions. Note that several browser extensions have been configured at the root org level. Those are inherited by the child OUs. When users onboard Google Chrome profiles with this tenant, these extensions are automatically provisioned.
Create and assign roles and privileges
Perform the following steps to create a custom admin role and assign privileges:
- In the Google Admin console, go to Accounts > Admin roles.
- Click Create new role and enter a name and description for the role.
-
Add all the privileges required for Google Chrome integration to this custom role. For the list of required privileges, see Google custom admin role privileges.
For more information related to roles and privileges, see the Google documentation.
- Save the custom role.