Sync people data from Google Workspace

You can set up people search for your work teams by syncing people data from Google Workspace. After the people search data store is set up and the data is ingested into the Vertex AI Search index, it enables features such as Knowledge Graph and Natural Language Processing. This improves search quality, letting you find people in your Google Workspace Directory through the web app.

For information about Google Workspace Directory, see the Google Workspace documentation:

Before you begin

Before you can set up a people search data store, you must do the following:

  • To enforce data source access control and secure data in Agentspace Enterprise, make sure that you have configured your identity provider.

  • A Google Workspace administrator must enable people search on Google Workspace data:

    1. Sign in to the Google Admin console with an administrator account.
    2. Go to Directory > Directory settings.
    3. Turn on Contact sharing.

  • Sign in to the Google Cloud console with the same account that you plan to connect Google Workspace from.

  • If you use security controls, be aware of their limitations related to data in Google Workspace, as discussed in the following table:

    Security control Note the following
    Data Residency (DRZ) Agentspace Enterprise only guarantees data residency in Google Cloud. For information about data residency and Google Workspace, see Google Workspace compliance guidance and documentation—for example, Choose the region where data is stored and Digital sovereignty.
    Customer-managed encryption keys (CMEK) Your keys only encrypt data within Google Cloud. Cloud Key Management Service controls don't apply to data stored in Google Workspace.
    Access Transparency Access Transparency logs actions taken by Google personnel on the Google Cloud project. You'll also need to review the Access Transparency logs created by Google Workspace. For more information, see Access Transparency log events in the Google Workspace Admin Help documentation.

Before creating the people data store, you need to set up a service account and domain-wide delegation.

Set up the service account

  1. Verify that you have the permissions you need to create a service account. See Required roles.

  2. Create a service account in a Google Cloud project within the organization.

  3. Optional: Skip the Grant this service account access to project (optional) step.

    Shows the Grant this service account access to project (optional) section that needs to be skipped.
    Skip the Grant this service account access to project (optional) step.

  4. Grant the Discovery Engine service account (service-PROJECT_NUMBER@gcp-sa-discoveryengine.iam.gserviceaccount.com) access as a Service account token creator (roles/iam.serviceAccountTokenCreator), and click Save.

    Shows how to configure the Grant users access to this service account section.
    Grant the Discovery Engine service account access.

  5. After the service account is created, click the Details tab of the service account, and click Advanced settings.

  6. Copy the client ID for domain-wide delegation.

    Shows the client ID in the advaced settings, domain-wide delegation section.
    Copy the client ID.

Set up domain-wide delegation

  1. Sign in to the Google administrator workspace.
  2. Navigate to Security > Access and data control > API controls.

  3. Click Manage domain wide delegation.

    Shows Manage domain wide delegation.
    Click Manage domain wide delegation.

  4. Click Add new.

    Highlights the add new link.
    Click Add new.

  5. In the Add a new client ID dialog, do the following:

    1. Client ID: Enter the client ID.
    2. OAuth scopes: Enter https://www.googleapis.com/auth/directory.readonly.
    3. Click Authorize.

    Configure the domain-wide delegation settings.
    Configure the domain-wide delegation settings.

  6. If you have customized people data (also known as custom attributes) and you want the data related to the custom attribute to show up in search results, follow these steps:

    1. Click Directory > Users > More options > Manage custom attributes.

      Manage custom people data attributes.
      Click Manage custom attributes.

    2. Set the Visibility of the custom attribute to Visible to organization to make it searchable.

      Set the visibility of the custom attribute to Visible to organization.
      Set the visibility of the custom attribute to Visible to organization to make it searchable.

Create a people search data store

To connect your people data with Agentspace Enterprise, follow these steps:

Console

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. Go to the Data stores page.

  3. Click Create data store.

  4. On the Source page, click People search.

    Select the People Search data store.
    Select the People Search data store.

  5. Configure the authentication details:

    1. Enter the email of the account that fetches the people data. If you prefer not to use an administrator account, you can use an alternate account which has access to the organization's directory data.
    2. Enter the service account email you created previously.
    3. Click Continue.

    Configure the authentication details.
    Configure the authentication details.

  6. Choose a region for your data store.

  7. In the Your data store name field, enter a name for your data store.

  8. Click Create. Syncing might take several minutes to hours, depending on data size.

Pause or resume data syncs

You can pause and resume both full syncs and incremental syncs.

  • To pause a sync, click Pause/resume sync.

    Pausing a sync cancels all future scheduled syncs. However, if a sync is actively running when you click Pause/resume sync, that sync is not paused and continues to completion.

  • To resume a sync, click Pause/resume sync.

    When you resume a sync type, the connector schedules the new sync based on the last scheduled sync time.

Pause or resume data syncs.
Pause or resume data syncs.

Customize search results

To include or exclude personal information from the search results, follow these steps:

  1. In your data store, click the Entity tab, and click Users.

    Click the data store's entity tab.
    Click the entity tab of the data store.

  2. In the Users page, click the Schema tab.

  3. Click Edit.

    Edit the data store's schema.
    Edit the schema of the data store.

  4. Select or clear the attributes, such as country, to specify whether they're retrievable, searchable, and indexable. To be searchable, the attribute must be marked Retrievable, Indexable, and Searchable.

  5. Click Save.

    Save the changes made to the schema.
    Save the changes made to the schema.

Preview people search results

  1. If you have already connected the data store to an app, click Apps, and click the name of your app.

  2. Click Preview.

  3. Search for people in your organization using the search bar. The search results show details such as name, job title, email, and profile picture.

    To open your Agentspace Enterprise web app in a browser, see View the search web app.

    Preview the search results.
    Preview the search results.

    If you have made custom attributes searchable, then you can use the attributes in searches, but the attributes themselves aren't returned in profiles. For example, if team-position is a custom attribute and marked retrievable, indexable, and searchable in the schema, then you can search for people with a specific team position, such as "tech lead". You get a list of people who have that position, but the output won't include the words "tech lead".

View the search web app

To view your Agentspace Enterprise web app, do the following:

  1. In the navigation menu, click Integration.

  2. Make sure that Enable the Web App is enabled.

  3. In the The link to your web app section, click Copy and open the link in your browser.

Error messages

The following table describes error messages that you might encounter when syncing people data by using data indexing. This table includes gRPC error codes and suggested troubleshooting steps.

Error Code (gRPC) Error Message Description Troubleshooting
9 (Failed precondition) Authentication failed. Service account permissions are not set up correctly. Wipeout has been triggered for this datastore and all documents have been deleted. This error occurs when the Discovery Engine service account lacks the service account token creator role, or the domain-wide delegation (DWD) service account lacks the correct auth scope. Verify that the Discovery Engine service account has the service account token creator role, and set up the DWD service account auth scope correctly on Google Cloud Admin. Regrant the missing service account permissions.
9 (Failed precondition) Zero results fetched after full sync. Wipeout has been triggered for this datastore and all documents have been deleted. This error occurs when contact sharing is disabled in directory settings of the Admin console. Verify and enable contact sharing in the directory settings of the Admin console.
3 (Invalid argument) Failed to exchange signed JWT for access token. Google Workspace account has been deleted. Wipeout has been triggered for this datastore and all documents have been deleted. This error occurs when the Google Workspace account is deleted. Create a new connector with an active Google Workspace account.
3 (Invalid argument) GAIA id not found. Authentication failed. This error occurs when the user account is incorrect. Verify that the user account exists and enter the correct credentials.
8 (Resource exhausted) The quota for the project exceeded. Increase the document quota for the project. This error occurs when the project quota is exceeded. Increase the document quota for the project. For more information, see Quotas.
13 (Internal Error) Internal error encountered. This error occurs when there is an internal error. Contact the support team.