Connect a third-party data source

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to connect third-party data sources to Agentspace Enterprise.

When you connect a third-party data source, Agentspace Enterprise creates a data connector, and associates data stores (called entity data stores) with it for the entities that you specify. Entity types are specific to the data source that you're connecting to. For example, Jira Cloud entities include issues, attachments, comments, and worklogs.

To import data from a Google data source instead, see Create a first-party data store.

If you are using customer-managed encryption keys, see About single-region keys for third-party connectors.

Before you begin

1. Contact your Google account team and ask to be added to the allowlist for third-party data source connectors.

2. Go to the section for the source you plan to use:

   • Connect Adobe Experience Manager
   • Connect AODocs (Additional allowlist)
   • Connect Asana
   • Connect Box
   • Connect Coda
   • Connect Confluence Cloud
   • Connect Confluence Data Center On-premises
   • Connect DocuSign
   • Connect Dropbox
   • Connect Dynamics 365
   • Connect Entra ID
   • Connect GitHub
   • Connect GitLab
   • Connect HubSpot
   • Connect Jira Cloud
   • Connect Jira Data Center On-premises
   • Connect Marketo Cloud
   • Connect Microsoft Outlook
   • Connect Microsoft Teams
   • Connect Monday
   • Connect Notion (Additional allowlist)
   • Connect Okta
   • Connect OneDrive
   • Connect Salesforce
   • Connect ServiceNow
   • Connect SharePoint Data Center On-premises
   • Connect SharePoint Online
   • Connect Slack
   • Connect Trello
   • Connect WordPress
   • Connect Workday
   • Connect Zendesk (Additional allowlist)

Connect Adobe Experience Manager

Use the following procedure to sync data from Adobe Experience Manager to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. In addition to the third-party connector allowlist, this connector requires that your project is added to an additional allowlist. To be added to this allowlist, contact your Agentspace Enterprise account team.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

3. An Adobe Experience Manager administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • Service credentials of your Adobe Experience Manager instance
   • Instance URL of your Adobe Experience Manager site

Create a Adobe Experience Manager connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create an app.

• To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect AODocs

Use the following procedure to sync data from AODocs to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. In addition to the third-party connector allowlist, this connector requires that your project is added to an additional allowlist. To be added to this allowlist, contact your Agentspace Enterprise account team.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

3. An AODocs administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • Instance ID (Domain URL of your AODocs instance)
   • Client ID
   • Client secret

Create a AODocs connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Asana

Use the following procedure to sync data from Asana to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

• Set up access control for your data source. For information about setting up access control, see Use data source access control.

• An Asana administrator must generate or obtain the personal access token (PAT) following for authentication. For more information, see Personal access token in the Asana documentation.

To invite a member to an Asana workspace , do the following:

1. Sign in to Asana application with your administrator account.

2. Select the relevant project.

3. In the Share visitors dialog, under Invite with email:

   1. Click Invite.
   2. Enter the user's email address.
   3. Choose the permission level as Viewer.

To generate a PAT, do the following:

1. Open the Asana Developer Console.

2. Click My apps.

3. Click addCreate token.

4. In the Create new token dialog, fill the required information.

5. Click Create token.

6. Copy the token for later use.

7. Click Done.

Create an Asana cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Box

Use the following procedure to sync data from Box to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. You must have administrator access to the Box instance with 2FA enabled. All the set up instructions can only be performed from the administrator account.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

3. Read Setup with JWT in the Box documentation for an overview of the setup with screenshots.

Create a Box app

1. Sign in to the Box Developer Console with your administrator account.
2. Click Create platform app.
3. Select App type as Custom app.
4. Enter the App name.
5. Set the following properties:
   1. Purpose: Integration
   2. Categories: AI
   3. External system: Google Cloud Agentspace Enterprise
6. Select Authentication method as Server authentication (with JWT).
7. Click Create app.

Configure the Box app

1. In the Box Developer Console, choose the Platform app and then go to the Configuration tab.
2. In the App access level section, select App + Enterprise access.

3. In the Application scopes section, select the following scopes:

   1. Read all files and folders stored in Box
   2. Write all files and folders stored in Box
   3. Manage users
   4. Manage groups
   5. Manage enterprise properties

4. In the Advanced features section, select Make API calls using the as-user header.

5. In the Add and manage public keys section, click Generate a public/private keypair.

   1. The public key is automatically uploaded to the console with an ID. This ID is used when creating a connection.
   2. You can download a configuration file with the private key and passphrase. Make sure to keep this file for later use.
   3. Optionally, to generate your own key, see the Box keypair setup guide.

6. Click Save changes.

Authorize the Box app

1. In the Box Developer Console, choose the Platform app and then go to the Authorization tab.
2. Click Review and submit.
3. In the Review app authorization submission dialog, click Submit.
4. Sign in to the Box admin platform apps manager with your administrator account.
5. Choose the Platform app that you have configured.
6. Click the three dots (...) in the corresponding row.
7. Select Authorize app from the drop-down list.
8. In the Authorize app dialog, click Authorize to complete the authorization process.

Have the following Box authentication information ready:

• Enterprise ID: Obtain it from the General settings tab.
• Client ID and Client secret: Obtain it from the Configuration tab under OAuth 2.0 credentials.
• Private key, Key ID, and Passphrase: These parameters were already generated and downloaded to a local file from the Configuration tab under Add and manage public keys while configuring the app.

Create a Box connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Coda

Use the following procedure to sync data from Coda to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A Coda administrator must generate or obtain the Coda API token to integrate with Agentspace Enterprise.

Create a Coda connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Confluence Cloud

Use the following procedure to sync data from Confluence Cloud to Agentspace Enterprise.

After you set up your data source and import data the first time, you can choose how often the data store syncs with that source.

Before you begin

Before setting up your connection:

1. Verify that you have administrator access to the Confluence instance and project.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

Set up authentication and permissions in Confluence

Make sure that you have the necessary authentication details and administrator access to your Confluence instance. Use the following instructions to create a client ID and client secret through the Atlassian Developer Console, configure the required OAuth 2.0 scopes, set up permissions for users, retrieve your instance URL and ID, configure roles, and authenticate to sync data between Confluence Cloud and Agentspace Enterprise. To enable OAuth 2.0 and obtain the client ID and secret, see OAuth 2.0 (3LO)apps in the Atlassian Developer documentation.

1. Create an OAuth 2.0 integration in the Atlassian Developer Console:

   1. Sign in to Atlassian Developer Console.
   2. Click the profile icon and select Atlassian Developer Console.
   3. Click Create and select OAuth 2.0 Integration.
   4. Enter a name for the app and do the following:
      1. Check the terms and conditions checkbox.
      2. Click Create.
      3. Click Authorization.
      4. In the Authorization type table, select Add for OAuth 2.0 (3LO).
   5. In the Callback URL field, enter https://vertexaisearch.cloud.google.com/console/oauth/confluence_oauth.html.
   6. Click Save changes.

   If you see the warning: Your app doesn't have any APIs. Add APIs to your app, proceed to step 2 and complete all the remaining steps. Otherwise, skip to step 4 and step 5.

2. Enable OAuth 2.0:

   1. Click Permissions.
   2. Go to Confluence API.
   3. Click Add.
   4. Click Configure.
   5. Go to the Granular scopes tab and click Edit scopes.
   6. Select the following scopes.

      View Scopes

      • read:attachment:confluence
      • read:configuration:confluence
      • read:content.metadata:confluence
      • read:content-details:confluence
      • read:group:confluence
      • read:space:confluence
      • read:user:confluence
   7. Confirm that seven scopes are selected and save your changes.

3. Obtain the client ID and client secret:

   1. Click Distribution.
   2. Select Edit.
   3. Select Sharing to enable editing other fields.
   4. Fill out the remaining fields.
   5. Select Yes when you see Does your app store personal data?
   6. Select Settings to copy your Client ID and Client secret.

4. Obtain the instance URL:

   1. Go to atlassian.net and sign in with your administrator account.
   2. Select the app you want to sync. For example, sync the first app.
   3. Find the instance URL. It appears as the subdomain in the address bar.

5. Obtain the instance ID:

   1. Open a new tab, copy the instance URL, and append /_edge/tenant_info to the instance URL. For example, https://YOUR-INSTANCE.atlassian.net/_edge/tenant_info.
   2. Navigate to the link to find the cloudId value. The cloudId is your instance ID.

Set up permissions and roles

1. Sign in to atlassian.com with your administrator account.
2. Click the menu icon or go to admin.atlassian.com.
3. On the Admin page, click Manage users and go to the Groups page.
4. Go to your Atlassian domain site and open the Confluence Cloud instance.
5. Navigate to IAM.

6. Grant the Confluence administrator the Discovery Engine role. This allows the Confluence administrator to configure the connector as outlined in Create a Confluence Cloud connector.

7. Grant a user the administrator role:

   1. Create a dedicated user account. Use this account for data store setup.
   2. Assign the Admin role to the new user.

8. Configure permissions in Atlassian:

   1. Go to your Atlassian domain site and open the Confluence Cloud instance. Alternatively, go directly to admin.atlassian.com.

   2. Click the menu icon and select the required option.

   3. Optional: If prompted, select the appropriate organization from the landing page.

9. Create and configure groups:

   1. On the Administrator page, click the Manage users button if required and select Manage users from the drop-down list.
   2. On the User management page, select Groups.
   3. Click Create group and assign a name. Use this group for assigning permissions required by the connector.

10. Add permissions to the group: Assign the User access admin role.

11. Assign group members:

    1. On the Group page, click Add product and select the appropriate product role from the drop-down list.In this case, select User access admin.
    2. Click Add to confirm role assignment.
    3. Click Add group members to include user accounts or group members. Ensure the connector authenticates on behalf of these users to fetch documents.

For user permissions to apply correctly, each Confluence Cloud user must make their email visible to all users. To achieve this, change the email visibility settings in Confluence Cloud and set the visibility to Anyone. For more information, see Set your email visibility in the Atlassian documentation.

Create a Confluence Cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Confluence Data Center On-premises

Use this procedure to create a Confluence Data Center data store and search app in Agentspace Enterprise, syncing on-premises Confluence data with Agentspace Enterprise.

After you set up your data source and import data the first time, you can choose how often the data store syncs with that source.

Before you begin

Before setting up your connection, make sure that you have the following:

1. Service attachment (required for private destination type only): Configure a service attachment for secure data transfer.
2. Username and password: Obtain valid credentials for authentication from your Confluence administrator.
3. Optional for private destination type: Domain URL: Specify the URL of the Confluence Data Center instance.
4. Optional: Base domain name: Provide the base domain name for the Confluence instance.
5. Optional: Destination port: Identify the port used for communication with the Confluence Data Center.

6. Use the following configuration guidelines to establish connections with Private Service Connect(PSC). Adjust or add resources as needed. Make sure the PSC service attachment is properly configured to connect to the private instance and meets the requirements for a published service.

   1. Configure network settings:

      1. Place the PSC service attachment and load balancer in different subnets within the same Virtual Private Cloud network.

      2. The backend system must remain closed to the public network for security reasons. However, ensure it can accept traffic from the following sources:

         • For proxy-based/HTTP(s) load balancers (L4 proxy ILB, L7 ILB), configure the backend to accept requests from the proxy subnet in the Virtual Private Cloud network.

         • For more information, see the Proxy-only subnets for Envoy-based load balancers documentation.

   2. Adjust firewall rules:

      1. Ingress rules:

         • Allow traffic from the PSC service attachment subnet to the internal load balancer (ILB) subnet.
         • Make sure that the ILB can send traffic to the backend.
         • Permit health check probes to reach the backend.

      2. Egress rules: Enable egress traffic by default, unless specific deny rules apply.

7. Additional considerations: Make sure to keep all the components, including the PSC service attachment and load balancer, in the same region.

Generate a service attachment

Use the following steps to generate a service attachment:

1. Decide endpoint type: Select Public or Private endpoint.

2. For Public endpoint: If the Confluence Data Center Destination type is Public, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URL field of the Google Cloud console when creating your connector.

3. For Private endpoint:

   1. Use Private Service Connect (PSC) to enable connections from private instances to Google Cloud.
   2. Create a Virtual Private Cloud network and required subnets.
   3. Create a Virtual Machine (VM) instance and install the backend service.
   4. Optional: Set up a health check probe to monitor backend health.
   5. Add a load balancer to route traffic to the VM or backend.
   6. Define firewall rules to allow traffic between the PSC endpoint and the backend.
   7. Publish the endpoint by creating a PSC service attachment.

Create a Confluence Data Center user and set up permissions

To enable Agentspace Enterprise to obtain data from Confluence, you need to create a new user with the minimum permissions necessary. Follow these steps to create the user and set up the required permissions.

1. Sign in as an administrator:

   1. Go to your Atlassian domain site and open the Confluence Data Center instance.
   2. Enter the administrator username and password.
   3. Click Log In.

2. Create a new user:

   When creating a data store, you must create a user to obtain data from the third-party instance.

   1. Click the settings icon.
   2. Select User management.
   3. Enter the administrator credentials, if prompted.
   4. In the Administration page, click Create user.
   5. Enter the email address, full name, username, and password.
   6. Click Create user.

3. Assign user to a group:

   1. In the Confluence administration page, navigate to the Users and security tab and click Groups.
   2. Click Add group. Enter a name for the group and create it.
   3. In the Find group field, enter the group name to find the group.
   4. Click the settings icon.
   5. Select the profile account and navigate to User management.
   6. In the Users page, under List users, search for the newly created user in the Find user field.
   7. Click the user to open the View users page.
   8. Click Edit groups to open the Edit user group page.
   9. Select the checkbox for the created user group.
   10. Click Save to assign the user to the newly created group.

   The added user is assigned in the Group members section.

4. Configure user permissions:

   1. In the Confluence administration page, navigate to the Issues tab.
   2. Locate Permissions.
   3. Select View global permissions.
   4. Select Edit permissions.
   5. In the Edit global permissions page, search for the group assigned to the user, and enable the can use option.

Configure the documentation space

1. Click the Confluence icon to navigate to the Dashboard page.
2. Click Create space.
3. Select Documentation space and click Next.
4. Enter all the necessary details and click Create to create the documentation space.
5. Under My spaces, click the newly created space.
6. Navigate to Pages, and open the menu (three dots).
7. Select Restrictions.
8. From the Restrictions drop-down menu, select the Viewing and editing restricted option.
9. Search for the group and assign the can view permission.
10. Click Apply. The user is created with minimum access and permissions are set for spaces. You can also assign permissions to the blogs.

Create a Confluence Data Center On-premises connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect DocuSign

Use the following procedure to sync data from DocuSign to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up a connection for the DocuSign connector, make sure that you have the following credentials for authentication:

• Consumer key
• Private key
• Username

Generate keys and user credentials

Create a user in the DocuSign instance, assign the user to a group, and grant the required permissions to generate the consumer key, private key, and username needed for integration and authentication.

1. Register a DocuSign user: If you are a new user, use the following steps to create a DocuSign developer account. If you are an existing user, go to the access account details section.

   1. Go to the DocuSign developer account.

   2. Expand the Developer account drop-down and click Create account.

   3. On the Get your free developer account page, enter the required information:

      • First name
      • Last name
      • Email
      • Company
      • Country
      • DocuSign account status (if applicable)

   4. Click Get started.

   5. A Check your email window appears. Check your email for a verification code, enter it, and click Next.

   6. The Verify your mobile number window appears. Select the country code, enter your mobile number, and click Send code.

   7. Enter the temporary code received and click Verify.

   8. On the Set your password window, enter your password and click Next.

   9. The user is logged into the Sandbox environment.

2. Access account details:

   1. Click the User profile icon and select My apps & keys.

   2. The Account dashboard and Apps and keys page is displayed, showing the User ID, Account ID, and App base URL.

3. Generate apps and integration keys:

   1. Click Add app and integration key.

   2. In the Add integration key dialog, enter the app name and click Create app.

   3. The user is redirected to the app page. In the Authentication section, select Yes for the question "Is your application able to securely store a client secret?" and click Add secret key. A secret key is added.

   4. In the Service integration section, click Generate RSA.

   5. The RSA key pair dialog displays the keypair ID, public key, and private key. Copy both, as they are not displayed again.

4. Add user to production:

   1. Sign in to the DocuSign production instance.

   2. Click Admin.

   3. Navigate to Users and groups > Users.

   4. On the Seats & users page, under Seat usage, click Assign a seat.

   5. In the Add user page, enter the email address.

   6. Click Next.

   7. Complete the mandatory fields in the Profile information section.

   8. Click Next.

   9. In the Security section, add the Access code.

   10. Click Next.

   11. In the Permission profile and groups section, select the permission as Viewer.

   12. Click Add user.

   13. The Seats and users page is displayed, and the user appears under All users.

   14. Open the user email account and activate the account using the Account activation email.

   15. Click Activate, enter the Access code, and activate the account.

5. Generate RSA keypair:

   1. Navigate to Admin > Integrations > Apps and keys.

   2. On the Apps and keys page, click Actions and choose Edit for an existing app name from the Apps and integration keys section.

   3. On the App details page, go to the Service integration section and click Generate RSA.

   4. The RSA keypair dialog displays the keypair ID, public key, and private key. Copy all the details and click Close.

   5. Click the Profile icon and sign out.

6. Sign in to production instance: Sign in to the DocuSign production instance using minimum access user credentials. The Admin menu option is not displayed for the minimum access user account.

Create a DocuSign cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Dropbox

Use the following procedure to sync data from Dropbox to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For more information, see Use data source access control.

2. Have the following Dropbox authentication information ready. For information about setting up these parameters, see the OAuth Guide in the Dropbox documentation.

   • Client ID
   • Client secret

Create a Dropbox connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Dynamics 365

Use the following procedure to sync data from Dynamics 365 to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before you create a Dynamics 365 connector:

1. A Dynamics 365 administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • Client ID
   • Client secret
   • Azure tenant
   • Organization URL

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

Create a Dynamics 365 connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Entra ID

Use the following procedure to sync data from Entra ID to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. To obtain the client ID and client secret, do the following:

   1. Create an Entra ID application:

      1. Sign in to Microsoft Entra administrator center and click Application.
      2. In the Application drop-down list, click App registrations.
      3. In the App registrations page, click New registration.
      4. Click Add new registration and do the following:
         • Enter a name for the application.
         • Under Supported account types, select Accounts in the organizational directory only.
         • Under Redirect URI, add a web redirect URI pointing to: https://login.microsoftonline.com/common/oauth2/nativeclient.
      5. Click Register.

   2. Save credentials:

      On your registered application window, save the following values for later use:

      1. Use the Application (client) ID to set the Client ID parameter.
      2. Use the Directory (tenant) ID to set the Azure Tenant parameter.

   3. Create client secret:

      1. Navigate to Certificates & secrets and create a new client secret:
      2. Click New client secret and specify the required duration.
      3. Save the client secret and copy the key value for later use.

Configure Entra ID API permissions

1. On your registered application window, click API permissions.

2. Under Configured permissions, select Microsoft Graph and configure the following permission:

   View permissions

   • User.Read.All (Application)

   If you want to ingest profileCardAttributes, then configure the following permissions:

   View permissions

   • People.Read.All (Application)
   • PeopleSettings.Read.All (Application)

3. Grant admin consent for all the added permissions. An administrator's consent is required to use client credentials in the authentication flow.

Create a Entra ID connector

Test the search engine

After configuring your search engine, test its capabilities. This ensures it returns accurate results based on user access.

1. Enable web app:

   1. Go to the app integration configurations and toggle to Enable the web app.

2. Test web app:

   1. Click Open next to the web app link and sign in as a user.

   2. Verify that search results are restricted to items accessible by the user.

Preview people search results

1. In the search app, navigate to Preview and start searching within the console when using Google IdP.

   • Alternatively, navigate to the provided link and sign in with your IdP to start searching.
   • The search results appear as people cards, displaying user details such as Name, Job title, Email, and Profile picture.

2. Click a people card to view a detailed profile page, which includes the following:

   • Name
   • Profile picture
   • Job title
   • Department
   • Management chain
   • Direct reports

3. If custom attributes (profile card properties) are ingested and made indexable, searchable, and retrievable:

   • Searching by a custom attribute value returns only person profiles containing those attributes.
   • Custom attributes appear in search results, but can only be accessed through the API, not the Agentspace Enterprise user interface.

Configure the workforce pool for non-Google IdP without SSO

1. If your employees use a non-Google IdP, lack SSO with Google, or are not Google Workspace customers, set up a workforce pool as described in Use data source access control to enable the employee search.

   The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console.

2. To configure your workforce pool and enable the web app for seamless user access, do the following:

   1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

      1. Azure OIDC setup
      2. Azure SAML setup
      3. Okta & OIDC setup
      4. Okta & SAML setup

   2. Configure the workforce pool in Agentspace > Settings for the region where you create your app.

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect GitHub

Use the following procedure to sync data from GitHub to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A GitHub administrator must obtain the GitHub instance personal access token to integrate with Agentspace Enterprise.

Create a GitHub connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect GitLab

Use the following procedure to sync data from GitLab to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A GitLab administrator must obtain the GitLab instance personal access token to integrate with Agentspace Enterprise.

Create a GitLab connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect HubSpot

Use the following procedure to sync data from HubSpot to Agentspace Enterprise.

After you set up your data source and import data the first time, you can choose how often the data store syncs with that source.

Before you begin

Before setting up the HubSpot connector, make sure that the required authentication credentials, including a private access token (PAT), are available.

Create a super administrator user

To add a super administrator user to a HubSpot project, do the following:

1. Sign in to the HubSpot Developer Console with your super administrator user credentials.
2. Click Settings.
3. Navigate to Users and teams.
4. Click Create user.
5. Fill in the email address of the user you want to add and click Next.
6. Under Assign a seat drop-down list, select Use a custom permission set.
7. Click Choose a custom permission set.
8. Under Permissions sets, select Super admin.
9. Click Next.
10. In the Review user access window, check your access settings and then click Checkout.

Create a HubSpot private access token

To create a HubSpot PAT, do the following:

1. Sign in to the HubSpot Developer Console with your super administrator user credentials.
2. Navigate to Settings > Integrations.
3. Fill in the Name and Description.
4. Click + Add new scope.
5. Add all the required scopes.
6. Click Create app.
7. Click Continue creating and copy the private access token.
8. Click Close.

Create a HubSpot connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Jira Cloud

Use the following procedure to sync data from Jira Cloud to Agentspace Enterprise.

After you set up your data source and import data the first time, you can choose how often the data store syncs with that source.

Before you begin

Before setting up your connection:

1. Verify that you have administrator access to the Jira instance, and project.

2. Set up access control. Ensure that access control is properly configured for your data source. This step ensures that only authorized users can access and manage the data. For more information, see Use data source access control documentation.

3. For user permissions to apply correctly, Jira Cloud users must provide sharing consent.

4. Make sure that you have an Atlassian account, Jira instance, and project.

Set up authentication and permissions in Jira

Make sure that you have the necessary authentication details and administrator access to your Jira instance. Use the following instructions to create a client ID and client secret through the Atlassian Developer Console, configure the required OAuth 2.0 scopes, set up permissions for users, retrieve your instance URL and ID, configure roles, and authenticate to sync data between Jira Cloud and Agentspace Enterprise. To enable OAuth 2.0 and obtain the client ID and secret, see OAuth 2.0 (3LO)apps in the Atlassian Developer documentation.

Authorization clients for Jira actions are different than those for ingesting Jira data. They use different permissions and a different callback URL configuration. For how to set up authorization clients clients for actions, see Add Jira Cloud actions.

Create client ID and client secret

1. Create an OAuth 2.0 integration in the Atlassian Developer Console:

   1. Sign in to the Atlassian Developer Console.
   2. Click the profile icon and select Developer Console.
   3. Click Create and select OAuth 2.0 Integration.

   4. Enter a name for the app and do the following:

      1. Check the terms and conditions checkbox.
      2. Click Create.
      3. Click Authorization.
      4. In the Authorization type table, select Add for OAuth 2.0 (3LO).

   5. In the Callback URL field, enter https://vertexaisearch.cloud.google.com/console/oauth/jira_oauth.html.

   6. Click Save changes.

   If you see the warning: Your app doesn't have any APIs. Add APIs to your app, proceed to step 2 and complete all the remaining steps. Otherwise, skip to step 4 and step 5.

2. Enable OAuth 2.0:

   1. Select Permissions:

      1. Go to Jira API.
      2. Click Add.
      3. Click Configure.
      4. Go to the Classic scopes tab and click Edit scopes. Select the following scopes:

         View Scopes

         • read:avatar:jira
         • read:audit-log:jira
         • read:group:jira
         • read:issue-security-level:jira
         • read:issue-security-scheme:jira
         • read:jira-user
         • read:jira-work
         • read:user:jira

   2. Confirm that eight scopes are selected, then save your changes.

3. Obtain the client ID and client secret:

   1. Click Distribution.

   2. Select Edit, and do the following:

      1. Select Sharing to enable editing other fields.
      2. Fill out the remaining fields.
      3. Select Yes when you see Does your app store personal data?

   3. Select Settings to copy your Client ID and Client Secret.

4. Obtain the instance URL:

   1. Go to atlassian.net and sign in with your administrator account.
   2. Select the app you want to sync. For example, sync the first app.
   3. Find the instance URL, which is the subdomain in the address bar.

5. Obtain the instance ID:

   1. Open a new tab, copy the instance URL, and append /_edge/tenant_info to the instance URL. For example, https://YOUR-INSTANCE.atlassian.net/_edge/tenant_info.
   2. Navigate to the link to find the cloudId value. The cloudId is your instance ID.

Set up permissions and roles

1. Sign in to atlassian.com with your administrator account.
2. Click the menu icon on the top left or go to admin.atlassian.com.
3. On the Admin page, click Manage users and go to the Groups page.
4. Click Create group. Enter a name for the group and create it.
5. Click Add product.
6. On the Add products to group dialog, select User access admin as the product role.
7. Click Add.
8. On the Groups page, click Add group members to add users or accounts that the connector authenticates.

For user permissions to apply correctly, each Jira Cloud user must make their email visible to all users. To achieve this, change the email visibility settings in Confluence Cloud and set the visibility to Anyone. For more information, see Set your email visibility in the Atlassian documentation.

Create a Jira Cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Jira Data Center On-premises

Use this procedure to create a Jira Data Center data store and search app in Agentspace Enterprise, syncing on-premises Jira data with Agentspace Enterprise.

After you set up your data source and import data the first time, you can choose how often the data store syncs with that source.

Before you begin

Before setting up your connection, make sure that you have the following:

1. Service attachment (Required for private destination type only): Configure a service attachment for secure data transfer.
2. Username and password: Obtain valid credentials for authentication from your Jira administrator.
3. Optional for private destination type: Domain URL: Specify the URL of the Jira Data Center instance.
4. Optional: Base domain name: Provide the base domain name for the Jira instance.
5. Optional: Destination port: Identify the port used for communication with the Jira Data Center.

6. Use the following configuration guidelines to establish connections with Private Service Connect (PSC). Adjust or add resources as needed. Make sure the PSC service attachment is properly configured to connect to the private instance and meets the requirements for a published service.

   1. Configure network settings:

      1. Place the PSC service attachment and load balancer in different subnets within the same Virtual Private Cloud network.

      2. The backend system must remain closed to the public network for security reasons. However, ensure it can accept traffic from the following sources:

         • For proxy-based/HTTP(s) load balancers (L4 proxy ILB, L7 ILB), configure the backend to accept requests from the proxy subnet in the Virtual Private Cloud network.

         • For more information, see the Proxy-only subnets for Envoy-based load balancers documentation.

   2. Adjust firewall rules:

      1. Ingress rules:

         • Allow traffic from the PSC service attachment subnet to the internal load balancer (ILB) subnet.
         • Make sure that the ILB can send traffic to the backend.
         • Permit health check probes to reach the backend.

      2. Egress rules: Enable egress traffic by default, unless specific deny rules apply.

7. Additional considerations: Make sure to keep all the components, including the PSC service attachment and load balancer, in the same region.

Generate a service attachment

Use the following steps to generate a service attachment:

1. Decide endpoint type: Select Public or Private endpoint.

2. For Public endpoint: If the Jira Data Center Destination type is Public, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URL field of the Google Cloud console.

3. For Private endpoint:

   1. Use PSC to enable connections from private instances to Google Cloud.
   2. Create a Virtual Private Cloud network and required subnets.
   3. Create a Virtual Machine (VM) instance and install the backend service.
   4. Optional: Set up a health check probe to monitor backend health.
   5. Add a load balancer to route traffic to the VM or backend.
   6. Define firewall rules to allow traffic between the PSC endpoint and the backend.
   7. Publish the endpoint by creating a PSC service attachment.

Create a Jira Data Center user and set up permissions

To enable Agentspace Enterprise to obtain data from Jira, you need to create a new user with the minimum permissions necessary. Follow these steps to create the user and set up the required permissions.

1. Sign in as an administrator:

   1. Go to your Atlassian domain site and open Jira Data Center instance.
   2. Enter the administrator username and password.
   3. Click Log In.

2. Create a new user:

   When creating a data store, you must create a user to obtain data from the third-party instance.

   1. Click the settings icon.
   2. Select User management.
   3. Enter the administrator credentials, if prompted.
   4. In the Administration page, click Create user.
   5. Enter the email address, full name, username, and password.
   6. Click Create user.

3. Assign user to a group:

   1. In the Administration page, under User management, click Groups.
   2. Create a group by entering a name and clicking Add group.
   3. Select the newly created group.
   4. Click Add/Remove users.
   5. Click the member icon located next to the Add members to selected groups box.
   6. Select the newly created user and click Save the selection.
   7. Click Add selected user to see new users in the group members section.

   You can see the added user is assigned in the Group members section.

4. Configure user permissions:

   1. In the Administration page, navigate to the Issues tab.
   2. Select Permission schemes.
   3. Click Add permission scheme.
   4. Enter a name for the scheme and click Add.
   5. Select the scheme and click the Permission icon.
   6. Click Grant permission.
   7. Add the following permissions, assign these permissions to the group created earlier, and click Grant:
      1. Browse projects.
      2. Browse projects archive.
   8. Add this scheme to projects where users in the group need access to view the project, issues, comments, worklogs, and attachments.

Configure application access

1. In the Administration page, navigate to the Applications tab.
2. Under the Applications tab, select Application access.
3. Search for the created group and select it.
4. Verify that the group appears in the access list.

The user is created with minimum access. This schema is added to the projects. The Jira administrator can add more members to that group or add users to that project.

Create a Jira Data Center on-premises connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Marketo Cloud

Use the following procedure to sync data from Marketo Cloud to Agentspace Enterprise..

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up the connection, make sure that you have the authentication credentials, including a client ID and client secret.

Generate authentication credentials

1. Create a Marketo administrator user:

   1. Sign in to Marketo with the administrator user instance.
   2. From the Home tab, click Admin.
   3. Navigate to Security > Users & roles and click Go to admin console.
   4. In the Adobe console, under Quick links, click Add users.

   5. In the Add users to your team dialog:

      1. Enter your email address.
      2. Select the product subscription as Marketo Engage – googledevsandbox.
      3. Click Save.

   6. Return to Marketo admin > Security > Users & roles and locate the newly created user.

   7. Select the user and click Edit.

   8. Remove the Standard user role and assign the Admin role.

   9. Click Save.

2. Create a Marketo client ID and secret key:

   1. Go to the Marketo auth services instance.
   2. Enter the administrator credentials and then click Continue.
   3. Click Admin.
   4. In the Admin dashboard, go to Security > Users & roles.
   5. Click Create API only user.

   6. In the Create new API only user window, do the following:

      1. Fill in the required fields:

         • Email
         • First name
         • Last name

      2. Select the required roles, and click Create API only user.

   7. Click Admin and then navigate to Integration > LaunchPoint.

   8. Click New > New services.

   9. In the New services window, do the following:

      1. Enter a Display name for identification.
      2. In the Service field, select Custom.
      3. Enter a description.
      4. In the API only user field, select the previously created API user.
      5. Click Create. The API user appears in the Installed services page.

   10. In the Installed services page, navigate to the API user row.

   11. Under the Details column, click View details to retrieve the Client ID and Secret key.

Create a Marketo Cloud connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Microsoft Outlook

Use the following procedure to sync data from Microsoft Outlook to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A Microsoft Outlook administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • Client ID
   • Client secret
   • Tenant ID

3. Configure the following scopes:

   View scopes

   • Calendars.Read
   • Calendars.ReadBasic.All
   • Contacts.Read
   • Mail.Read
   • Mail.ReadBasic
   • Mail.ReadBasic.All
   • User.Read.All
   • User.ReadBasic.All

Create a Microsoft Outlook connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Microsoft Teams

Use the following procedure to sync data from Microsoft Teams to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A Microsoft Teams administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • Client ID
   • Client secret
   • Tenant ID

3. Configure the following Microsoft Graph (Application) permissions with the consent of a Microsoft Teams administrator:

   View scopes

   • TeamSettings.Read.All
   • GroupMember.Read.All
   • User.Read.All
   • Directory.Read.All
   • ChannelSettings.Read.All
   • Chat.ReadBasic.All
   • ChannelMessage.Read.All
   • Chat.Read.All
   • Files.Read.All
   • ChannelMember.Read.All

Create a Microsoft Teams connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Monday

Use the following procedure to sync data from Monday to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection, make sure that you have the domain URL, administrator access, and API token.

To generate the account URL and API token, do the following:

1. Sign in to the Monday application with your administrator account.
2. Click the Profile icon.
3. Select Administration.
4. Navigate to the General tab and enter the Account name and Account URL.
5. Return to the Profile icon and select Developers.
6. On the Monday developer center page, click My access tokens.
7. Click Show to display the token.
8. Copy the token for use in authentication.

Create a Monday connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Notion

Use the following procedure to sync data from Notion to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connector:

1. In addition to the third-party connector allowlist, this connector requires that your project is added to an additional allowlist. To be added to this allowlist, contact your Agentspace Enterprise account team.

2. A Notion administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • API token of the Notion instance
   • Workspace ID

3. Set up access control for your data source. For information about setting up access control, see Use data source access control.

Create a Notion connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Okta

Use the following procedure to sync data from Okta to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connector, make sure that you have the domain URL and administrator access to the Okta instance. Use the following steps to obtain the Okta instance URL, client ID, and API token.

1. To obtain the Okta instance URL, do the following:

   1. Sign in to the Okta login page with your administrator credentials.
   2. Click your profile icon or navigate directly to the Admin console. Your Okta instance URL appears as the subdomain in the address bar.

2. To generate the client ID and API token, do the following:

   1. Sign in to your Okta instance URL with your administrator account.
   2. Navigate to the Admin dashboard.
   3. Click the Applications icon and select Applications.
   4. Click Create app integration.
   5. Select OIDC - OpenID Connect.
   6. Select Web application as the application type, and then click Next.
   7. Enter a name in the App integration name field.
   8. Scroll to see Assignments, select Skip group assignment for now.
   9. Click Save.
   10. In the Client credentials window, click Edit.
   11. Select Public key / Private key.
   12. Under Public key, click Add key.
   13. Click Generate new key, and then click Done and Save.
   14. A dialog appears; click Save.
   15. Under General settings, click Edit.
   16. Select Client credentials, and then click Save.

Create a Okta connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect OneDrive

Use the following procedure to sync data from OneDrive to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. Have the following OneDrive authentication information ready:

   1. Client ID, client secret, and tenant ID. For information about setting up these parameters, see Quickstart: Register an application with the Microsoft identity platform in the Microsoft documentation.

   2. Specify scopes for access. An administrator role is required. For more information, see Quickstart: Configure a client application to access a web API in the Microsoft Entra documentation.

   3. Configure the following scopes:

      View scopes

      • Files.Read.All (Application)
      • Group.Read.All (Application)
      • User.Read.All (Application)

Create a OneDrive connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Salesforce

Use the following procedure to sync data from Salesforce to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. Have the following authentication information ready. For information about setting up client ID and client secret in Salesforce, see Configure a connected app for the OAuth 2.0 client credentials flow in the Salesforce documentation.

   • Instance URL
   • Consumer ID
   • Consumer secret

The following limitations apply:

1. Use either an Enterprise or Developer plan. Trial accounts are not supported.
2. Make sure that you are using Sales Cloud. Service Cloud is not supported.
3. Add Google Cloud to Salesforce CORS allowlist. Go the next step if you have already completed this task.
   1. Follow the instructions in the Salesforce documentation to configure the CORS allowlist.
   2. Enter https://console.cloud.google.com/ as an origin URL and save your configuration.

Create a Salesforce connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect ServiceNow

Use the following procedure to sync data from ServiceNow to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection, ensure you have the following in place:

1. ServiceNow instance: Create a ServiceNow instance by following the instructions on the ServiceNow Developer documentation.

2. Google Cloud project: Set up a Google Cloud project with an administrator account capable of managing organization-level configurations, ensuring the organization can set up a workforce pool.

3. Workforce pool: Make sure your organization is set up to manage a workforce pool.

Set up ServiceNow

ServiceNow offers two primary sites:

1. Main ServiceNow site: The site for your ServiceNow instance.

   • Manages users, groups, and system administration tasks.
   • URL: The URL for your ServiceNow instance.
   • Sign in using your administrator credentials.

2. Developer site:

   • Configures the knowledge base, sets up workflows, and develops custom applications.
   • URL: https://developer.service-now.com.
   • Sign in using your ServiceNow ID.

To create an OAuth endpoint, do the following:

1. Sign into the main ServiceNow instance with administrator privileges.
2. Navigate to All > System OAuth > Application registry.
3. Click New, then select Create an OAuth API endpoint for external clients. Retrieve the client ID and client secret.

4. Fill in the required information:

   1. Name: Unique name.
   2. Redirect URL: https://vertexaisearch.cloud.google.com/console/oauth/servicenow_oauth.html.

5. Click Submit to create the credential.

6. After submission, click the name to view the client secret.

7. The secret is masked. Click the lock icon next to it to unmask and view the secret.

8. Keep a copy of the client ID and secret to use when required.

9. Go to developer.service-now.com and click Manage instance password.

10. Keep a copy of the username and password to use when required.

11. At this stage, all five pieces of information needed to set up a ServiceNow data store are available. If there are no concerns with using the Admin role to pull data, proceed to creating a data store.

Set up roles and permissions

You must have a security Admin role to create and manage users. If you don't have this role, elevate your role to security_admin by clicking Elevate role under your profile. Select the security_admin role and click Update. The security_admin role is required to create roles and manage users.

1. Create a custom role with ACL rules:

   1. Navigate to All > User administration > Roles.
   2. Click New to create a new role.
   3. Select a name and click Submit.
   4. Navigate to System security > Access Control (ACL) to create a new ACL rule.
   5. Click New to create a new ACL rule.
   6. Select a role, such as sys_user_role.
   7. Click Submit and assign the role.

   8. Repeat this process until all the table access is granted. The connector requires access to the following tables for each entity to run successfully:

      1. Incident: incident.
      2. Catalog item: sc_cat_item, sc_cat_item_user_criteria_mtom, sc_cat_item_user_criteria_no_mtom, sc_cat_item_user_mtom, sc_cat_item_user_no_mtom.
      3. Knowledge: kb_knowledge, kb_knowledge_base, kb_uc_can_read_mtom, kb_uc_can_contribute_mtom.
      4. Attachment: All listed items.
      5. Identity: sys_user_role, sys_user_has_role, sys_user_group, sys_user_grmember, sys_user.
      6. Updated as new criteria are pulled: core_company, cmn_location, cmn_department.
      7. User criteria: user_criteria.

   9. Verify all ACLs are updated by navigating to sys_security_acl_role_list.do in the search bar.

   10. Select the role to verify.

   11. Confirm that all the required ACLs are assigned to the selected role.

2. Grant the role to a service account:

   1. Go to All > User Administration > Users and select the user.
   2. Find the user to grant the role to and select the user.

3. If no user is available, navigate to System security > Users and groups > Users.

4. Click New to create a new service account in the User table.

5. Ensure to check the Web service access only checkbox.

6. Go to the Roles table at the bottom of the page.

7. Click Edit on the right.

8. Grant the role created earlier and assign it to the user. Depending on the type of role created, select the appropriate one and assign it.

9. Obtain the username and password for the user. From the same page, click Set password.

10. Auto-generate a password and save it for later use:

    1. User ID: manager.
    2. Password: Enter the auto-generated password.

Configure the workforce pool

Follow the instructions to set up a workforce pool with one of the following configurations:

1. Azure OIDC setup
2. Azure SAML setup
3. Okta & OIDC setup
4. Okta & SAML setup

Create a ServiceNow connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect SharePoint Data Center On-premises

This section describes the process to create a SharePoint Data Center on-premises connector.

Sync data from SharePoint Data Center on-premises

Use the following procedure to sync data from SharePoint Data Center on-premises.

After setting up your data source and importing data for the first time, the data store synchronizes data from the source at the frequency specified during configuration.

Before you begin

Before setting up your connection, do the following:

1. Service attachment (required for private destination type only): Use the following steps to generate a service attachment for secure data transfer.

   1. Decide endpoint type: Select Public or Private endpoint.

   2. For Public endpoint: If the SharePoint Data Center Destination type is Public, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URL field of the Google Cloud console when creating your connector.

   3. For Private endpoint:

      1. Use private service connect (PSC) to enable connections from private instances to Google Cloud
      2. Create a Virtual Private Cloud network and required subnets.
      3. Create a virtual machine (VM) instance and install the backend service.
      4. Optional: Set up a health check probe to monitor backend health.
      5. Add a load balancer to route traffic to the VM or backend.
      6. Define firewall rules to allow traffic between the PSC endpoint and the backend
      7. Publish the endpoint by creating a PSC service attachment.

2. Username and password: Obtain valid credentials for authentication from your SharePoint administrator.

3. Optional for the private destination type: Domain URL: Keep the domain URL of the SharePoint Data Center instance if the instance is behind a proxy or SSL-based connection.

4. Optional: Base domain name: Provide the base domain name for the SharePoint instance.

5. Optional: Destination port: Identify the port used for communication with the SharePoint Data Center.

6. Use the following configuration guidelines to establish connections with Private Service Connect (PSC). Adjust or add resources as needed. Make sure the PSC service attachment is properly configured to connect to the private instance and meets the requirements for a published service.

   1. Configure network settings:

      1. Place the PSC service attachment and load balancer in different subnets within the same Virtual Private Cloud network.

      2. The backend system must remain closed to the public network for security reasons. However, ensure it can accept traffic from the following sources:

         • For proxy-based/HTTP(s) load balancers (L4 proxy ILB, L7 ILB), configure the backend to accept requests from the proxy subnet in the Virtual Private Cloud network.

         • For more information, see the Proxy-only subnets for Envoy-based load balancers documentation.

   2. Adjust firewall rules:

      1. Ingress rules:

         • Allow traffic from the PSC service attachment subnet to the internal load balancer (ILB) subnet.
         • Make sure that the ILB can send traffic to the backend.
         • Permit health check probes to reach the backend.

      2. Egress rules: Enable egress traffic by default, unless specific deny rules apply.

7. Additional considerations: Make sure to keep all the components, including the PSC service attachment and load balancer, in the same region.

Create a SharePoint minimum access permission user and set up permissions

To create a SharePoint minimum access permission user, obtain a username and password from an administrator. The administrator must sign in and follow these steps to create a new user in the SharePoint Data Center instance:

1. Click the Start menu and navigate to Windows administrative tools > Active directory users and computers.
2. Launch the Active directory users and computers application.
3. Expand the organization unit and navigate to the Users container where the new user is added.
4. Right-click on Users and select New > User.
5. In the New object:User window, enter the following details:
   • First name (do not use a comma or dot)
   • Full name
   • User logon name
6. Click Next.
7. Enter and confirm the password, then select:
   • User cannot change password
   • Password never expires
8. Click Next, then Finish.
9. Locate the created user in the Users section, double-click on it, and select Properties.
10. In the Properties window, add an email for the user and click Apply.

Assign minimum access permissions to the SharePoint user

1. Navigate to the Site collection.
2. Click Settings (gear icon menu).
3. Go to Site Permissions.
4. Select Advanced permissions settings.
5. Locate and select the SiteName visitors group (this group is automatically created when the site is set up and has default read access).
6. Add the user to the SiteName visitors group to grant them read-only access.

Note: This access inherits all permissions for lists, libraries, pages, and events that have read permissions.

Configure the site collection in SharePoint

1. Sign in to the SharePoint admin console using the administrator username and password.
2. In the Central administration page, navigate to Application management.
3. Click Create site collections.
4. In the Create site collection page:
   • Enter the required details in the Title and Description fields.
   • In the Web site address section, enter the URL name for the site.
5. In the Primary site collection administrator section:
   • Click the Browse button next to the User name field.
   • In the Select people dialog, enter the administrator username and click the search icon.
   • Select the user and click Ok.
6. The Site successfully created page appears, displaying the site URL.
7. Copy the URL and open it in a new tab to access the site.

Sign in with the created user

1. Use the created user's credentials to sign in to the SharePoint site.
2. Verify access and permissions for the user.

Create a SharePoint Data Center On-premises connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create an app.

• To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect SharePoint Online

Use the following procedure to sync data from SharePoint Online to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. Grant administrator consent. For information about how to grant consent, see Grant tenant-wide administrator consent to an application in the Microsoft Entra documentation.

3. Prepare the following Sharepoint Online authentication information to use during setup:

   1. Instance URL. In the form http://DOMAIN_OR_SERVER/[sites/]WEBSITE.

   2. Federated authentication requires the tenant ID and client ID, while OAuth requires the tenant ID, client ID, and client secret. To register the application, select Accounts in this organizational directory only for the sign-in audience, and then locate this authentication information. For more information, see Quickstart: Register an application with the Microsoft identity platform in the Microsoft Entra documentation.

   3. When registering the application, use https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html as the web callback URL.

   4. When configuring application permissions, add the following application permissions for Graph API:

      View scopes

      • GroupMember.Read.All
      • Sites.FullControl.All
      • User.Read.All

   5. When configuring application permissions, add the following delegated permissions for Sharepoint REST API:

      View scopes

      • AllSites.FullControl

4. The following table describes the roles that are recommended for configuration and their limitations.

View roles

Roles	Client application registration	Fetch content of all entities	Fetch ACL	Fetch identity	Notes
Site Admins	No	Yes	Yes	Yes
Site Collection administrator	No	Yes	Yes	Yes
Global administrator	Yes	No	Yes	No	Limitation: The global administrator cannot fetch identity or comment and attachment entities.
Site owner	No	Yes	Yes	No	Limitation: The Site owner relates to Microsoft 365 administrator center / Entra administrator center, not specific to SharePoint.
Application administrator	Yes	N/A	N/A	N/A	The application administrator role is related to Microsoft 365 administrator center / Entra administrator center. It is not specific to Sharepoint.

Use this method for granular control over SharePoint REST API permissions, allowing you to restrict resource access on the user account. Make sure to create a new SharePoint user, which might add licensing costs. Use the OAuth 2.0 refresh token method to set up an Entra application registration and enable secure access to SharePoint.

Configure Entra application registration

Set up an Entra application registration to enable secure access to SharePoint. Choose between Federated credentials for token-based access or OAuth 2.0 refresh token for granular control. Use the following steps to configure the app registration, grant permissions, and establish authentication.

1. Federated credentials: Set up federated credentials to securely allow Google to access SharePoint using cryptographically signed tokens, avoiding the need for a real user principal. To configure permissions and grant access, do the following:

   1. Obtain service account client ID:

      1. In the Google Cloud console, go to the Agentspace Enterprise page.
      2. In the navigation menu, click Data stores.
      3. Click addCreate data store.
      4. On the Select a data source page, scroll or search for SharePoint Online to connect your third-party source.
      5. Note the Subject identifier.

   2. Register app in Microsoft Entra:

      1. Navigate to Entra administrator center.

      2. Create an app registration:

         • Supported account types: Accounts in the organizational directory only.
         • Keep other settings default and click Register.

      3. Note the Client ID and Tenant ID.

   3. Add federated credentials:

      1. Go to Certificates & secrets > Federated credentials > Add credential.

      2. Use the following settings:

         • Issuer: https://accounts.google.com
         • Subject identifier: Use the noted subject identifier.
         • Name: Provide a unique name.

      3. Click Add to grant access.

   4. Set API permissions:

      1. Add and grant administrator consent for the following permissions:

         • GroupMember.Read.All (Application): Read all group memberships.
         • Sites.Read.All (Application): Read all sites.
         • User.Read.All (Application): Read all users' full profiles.
         • Sites.FullControl.All (Application): Full control over all sites.

      2. Use Sites.Selected to assign specific site permissions instead of Sites.FullControl.All. Sites.Selected cannot be directly configured through the UI. After selecting Sites.Selected, you must call the Microsoft Graph API to explicitly grant the fullcontrol role to the application for the sites you want to crawl.

      3. Grant Sites.Read.All for crawling all subsites under a root site URL.

2. OAuth 2.0 refresh token: Configure OAuth 2.0 authentication using a client secret and a refresh token from the SharePoint user to enable granular control over SharePoint API access. To set up app registration, add a client secret, and assign API permissions, do the following:

   1. Create app registration:

      1. Navigate to Entra administrator center.

      2. Create an app registration:

         • Supported account types: Accounts in the organizational directory only.
         • Redirect URI: https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html.

      3. Note the Client ID and Tenant ID.

   2. Add client secret:

      1. Go to Certificates & secrets > New client secret.

      2. Note the secret string.

   3. Set API permissions:

      1. Add and grant administrator consent for the following permissions:

         • GroupMember.Read.All: Read all group memberships.
         • Sites.FullControl.All: Full control of all site collections.
         • User.Read.All: Read all users' full profiles.
         • AllSites.FullControl: Full control over all sites.

      2. Use a dedicated user account with limited access to specific sites.

      3. Make sure the account has Owner access to the selected sites.

Create a SharePoint Online connector

Test the search engine

After configuring your search engine, test its capabilities. This ensures it returns accurate results based on user access.

1. Enable web app:

   1. Go to the app integration configurations and toggle to Enable the web app.

2. Test web app:

   1. Click Open next to the web app link and sign in with a user in your workforce pool.

   2. Verify that search results are restricted to items accessible by the logged-in user.

Configure the workforce pool

The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console. To configure your workforce pool and enable the web app for seamless user access, do the following:

1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

   1. Azure OIDC setup
   2. Azure SAML setup
   3. Okta & OIDC setup
   4. Okta & SAML setup

2. Configure the workforce pool in Agentspace Enterprise > Settings for the region where you create your app.

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Slack

Use the following procedure to sync data from Slack to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. Contact the workspace owner to provide the permissions to install new apps in your workspace.

3. Prepare the following Slack authentication information:

   1. Workspace ID: Get the Workspace ID by following the instructions in Specify the Slack source for your data store in the Slack documentation.

   2. Access token: Create a client app and define the required scopes. For more information, see Quickstart and How to quickly get and use a Slack API token in the Slack documentation.

   3. When setting OAuth 2.0 permission scopes, configure the following scopes:

      View scopes

      • users:read.email
      • channels:history
      • channels:read
      • groups:history
      • groups:read
      • im:history
      • im:read
      • mpim:history
      • mpim:read
      • team:read
      • users:read
      • files:read

4. By default, Slack restricts crawling and syncing content from private channels, group messages, and direct messages.

Configure the Slack app

Obtain an access token to allow Agentspace Enterprise to ingest documents from your Slack workspace.

1. Generate a bot token to securely access private channels, instant messages (IMs), and multi-party instant messages (MPIMs). The bot token cannot crawl into the public channels it is not part of, and joining public channels generates a join message.

   1. Sign in to Slack API Apps.
   2. Click Create new app.
   3. Select From scratch.
   4. Enter a name for your app and select the workspace for integration.
   5. Click Create app.
   6. Click OAuth & permissions.
   7. Under Bot token scopes, add the following required scopes:

      View scopes

      • users:read.email
      • channels:history
      • channels:read
      • groups:history
      • groups:read
      • im:history
      • im:read
      • mpim:history
      • mpim:read
      • team:read
      • users:read
      • files:read

   By default, the bot reads from the #general and #random channels.

   1. To enable crawling, do the following:

      1. For public channels, grant the channels:join scope to allow the bot to join automatically.
      2. For private channels, invite the bot manually.

   2. Click Install to your username workspace.

   3. Follow the on-screen instructions to install the app and retrieve the bot token.

2. Generate a user token to access all public channels without joining them first. The user token cannot crawl private channels, IMs, or MPIMs unless the user has access.

   1. Sign in to Slack API Apps.
   2. Click Create new app.
   3. Select From scratch.
   4. Enter a name for your app and select the workspace for integration.
   5. Click Create app.
   6. Click OAuth & permissions.

   7. Under User token scopes, add the following required scopes:

      View scopes

      • users:read.email
      • channels:history
      • channels:read
      • groups:history
      • groups:read
      • im:history
      • im:read
      • mpim:history
      • mpim:read
      • users:read
      • files:read

   8. Click Install to your username workspace.

   9. Follow the on-screen instructions to install the app and retrieve the user token.

Create a Slack Cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Trello

Use the following procedure to sync data from Trello to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connector, make sure that the following steps are completed:

1. Verify that you have Trello administrator access. A Trello administrator must generate an API key and token in the following section.
2. Check that your project is added to the allowlist to use Trello.
3. Set up access control for your data source. For information about setting up access control, see Use data source access control.

A Trello administrator must perform the following steps:

1. Generate an API key in Trello:

   1. Sign in to the Trello instance using the provided test user credentials at Trello.

   2. On the Trello Power-ups admin page, navigate to Access Power-up Admin.

   3. Click New to create a new Power-up.

   4. Fill in the required details:

   5. Click Next to proceed, then generate an API key. Copy the API key and secret.

2. Generate an API token in Trello:

   1. Click the Generate token link on the right to generate an API Token.

      1. Click Allow to grant access to your API token.
      2. Ensure that all required entities have the correct permissions in the scope.

   2. Copy the generated API token. Use this token for the Trello connector on Agentspace Enterprise.

For more information about Trello API, see API Introduction.

Create a Trello connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect WordPress

Use the following procedure to sync data from WordPress to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up the connection, ensure you have the following:

• Username and password: Obtain the credentials from the WordPress administrator.
• Site URL: Use this URL for data store creation.

Create a WordPress user

To create a WordPress user, obtain a username and password from an administrator. The administrator must sign in and follow these steps to create a new user in the WordPress instance.

1. Sign in as an administrator:

   1. Navigate to your hosting platform and sign in with your administrator credentials to access your WordPress website.
   2. Click the Website icon.
   3. Click WordPress admin for your site.

2. Create a new user:

   1. On the WordPress admin page, navigate to the Users tab.
   2. Click Add new.
   3. Fill in all the required details, including:
      • Username
      • Email address
      • Optional: First and last name
      • Role
      • Password (if prompted)
   4. Click Add new user to save the changes.

Create a WordPress connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Workday

Use the following procedure to sync data from Workday to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before you create a Workday connector:

1. A Workday administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   1. Client ID. Obtain from the View API Clients page in Workday.
   2. Client secret. Obtain from the View API Clients page in Workday.
   3. Refresh token. Obtain from the View API Clients page in Workday.
   4. Optional: Proxy Server. The hostname or IP address of a proxy to route HTTP traffic through.
   5. Optional: Base URL. The base URL for the Workday connection.
   6. Optional: API URL. The complete URL to the API endpoint to use for making SOAP requests. For example: https://HOST.workday.com/ccx/service/TENANT/SERVICE
   7. Workday tenant. The tenant for the account. For example, abc_cms1. You can get the name of the tenant in your Workday instance configuration details.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

Create a Workday connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Zendesk

Use the following procedure to sync data from Zendesk to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. In addition to the third-party connector allowlist, this connector requires that your project is added to an additional allowlist. To be added to this allowlist, contact your Agentspace Enterprise account team.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

3. A Zendesk administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   1. Access token. API Token of your Zendesk instance.
   2. Instance URI.

Create a Zendesk connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.