Schemus authenticates to Google Apps with the OAuth2 protocol, using the Service Account email address and associated private key as credentials.

Note that although a Service Account is used for authentication, a separate Google Apps user account is required to access the group and user data.

Before Schemus can retrieve data from Google Apps, you must sign up for a Google Apps account and create an administrator. Once created, the account is managed from the Admin console at https://admin.google.com.

A service account's credentials include a unique generated email address, a public/private key pair and a Client ID.

Create the service account and key as follows:

1. Open the service accounts page at https://console.developers.google.com/iam-admin/serviceaccounts.
2. If prompted, select a project or create a new one.
3. Click CREATE SERVICE ACCOUNT.
4. Under Service account details, type a name, ID, and description for the service account, then click CREATE AND CONTINUE.
5. Skip the optional steps to grant account and user access.
6. Click Done.

1. Click the email address for the service account.
2. Click KEYS.
3. In the ADD KEY drop-down list, select Create new key.
4. Select JSON.
5. Click CREATE and save the key to a suitable location.

Take note of the service account's OAuth2 Client ID and store the service account's key file in a location accessible to Schemus.

Note: The downloaded key serves as the only copy of the private key and should not be disclosed.
You can return to the API Console at https://console.developers.google.comto view the email address and Client ID or to generate additional keys.

To delegate domain-wide authority to a service account, a super administrator of the Google Workspace domain must complete the following steps:

1. From the Admin console at https://admin.google.com, go to Main menu > Security > Access and data control > API Controls.
2. In the Domain wide delegation pane, select MANAGE DOMAIN WIDE DELEGATION.
3. Click Add new.
4. In the Client ID field, enter the service account's Client ID from the Service accounts page https://console.developers.google.com/iam-admin/serviceaccounts.
5. In the OAuth scopes (comma-delimited) field, enter the list of scopes required by Schemus:
   https://www.googleapis.com/auth/admin.directory.group.member.readonly,
   https://www.googleapis.com/auth/admin.directory.group.readonly,
   https://www.googleapis.com/auth/admin.directory.user.alias.readonly,
   https://www.googleapis.com/auth/admin.directory.user.readonly
6. Click Authorize.

Note: The scopes above provide read-only access to the data required by Schemus. Scopes allowing write access should not be included.

Your application now has the authority to make API calls as users in your domain (to "impersonate" users).

Note: The key file and the email address of the user to impersonate are required on the Google Apps settings page when configuring Schemus.
The service account email address is not required as it will be loaded from the JSON key file.

Note: It may be necessary to activate the API before using it for the first time with a project. To enable the API visit https://console.developers.google.com/apis/api/admin.googleapis.com/overview.