Connect a third-party data source

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to connect third-party data sources to Agentspace Enterprise.

When you connect a third-party data source, Agentspace Enterprise creates a data connector, and associates data stores (called entity data stores) with it for the entities that you specify. Entity types are specific to the data source that you're connecting to. For example, Jira Cloud entities include issues, attachments, comments, and worklogs.

To import data from a Google data source instead, see Create a first-party data store.

If you are using customer-managed encryption keys, see About single-region keys for third-party connectors.

Before you begin

1. Contact your Google account team and ask to be added to the allowlist for third-party data source connectors.

2. Go to the section for the source you plan to use:

   • Connect Adobe Experience Manager
   • Connect AODocs (Additional allowlist)
   • Connect Asana
   • Connect Box
   • Connect Coda
   • Connect Confluence Cloud
   • Connect Confluence Data Center On-premises
   • Connect DocuSign
   • Connect Dropbox
   • Connect Entra ID
   • Connect GitHub
   • Connect GitLab
   • Connect Jira Cloud
   • Connect Jira Data Center On-premises
   • Connect Marketo Cloud
   • Connect Microsoft Outlook
   • Connect Microsoft Teams
   • Connect Monday
   • Connect Notion (Additional allowlist)
   • Connect Okta
   • Connect OneDrive
   • Connect Salesforce
   • Connect ServiceNow
   • Connect SharePoint Data Center On-premises
   • Connect SharePoint Online
   • Connect Slack
   • Connect WordPress
   • Connect Zendesk (Additional allowlist)

Connect Adobe Experience Manager

Use the following procedure to sync data from Adobe Experience Manager to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. In addition to the third-party connector allowlist, this connector requires that your project is added to an additional allowlist. To be added to this allowlist, contact your Agentspace Enterprise account team.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

3. An Adobe Experience Manager administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • Service credentials of your Adobe Experience Manager instance
   • Instance URL of your Adobe Experience Manager site

Create a Adobe Experience Manager connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create an app.

• To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect AODocs

Use the following procedure to sync data from AODocs to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. In addition to the third-party connector allowlist, this connector requires that your project is added to an additional allowlist. To be added to this allowlist, contact your Agentspace Enterprise account team.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

3. An AODocs administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • Instance ID (Domain URL of your AODocs instance)
   • Client ID
   • Client secret

Create a AODocs connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Asana

Use the following procedure to sync data from Asana to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

• Set up access control for your data source. For information about setting up access control, see Use data source access control.

• An Asana administrator must generate or obtain the personal access token (PAT) following for authentication. For more information, see Personal access token in the Asana documentation.

To invite a member to an Asana workspace , do the following:

1. Sign in to Asana application with your administrator account.

2. Select the relevant project.

3. In the Share visitors dialog, under Invite with email:

   1. Click Invite.
   2. Enter the user's email address.
   3. Choose the permission level as Viewer.

To generate a PAT, do the following:

1. Open the Asana Developer Console.

2. Click My apps.

3. Click addCreate token.

4. In the Create new token dialog, fill the required information.

5. Click Create token.

6. Copy the token for later use.

7. Click Done.

Create an Asana cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Box

Use the following procedure to sync data from Box to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. You must have administrator access to the Box instance with 2FA enabled. All the set up instructions can only be performed from the administrator account.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

3. Read Setup with JWT in the Box documentation for an overview of the setup with screenshots.

Create a Box app

1. Sign in to the Box Developer Console with your administrator account.
2. Click Create platform app.
3. Select App type as Custom app.
4. Enter the App name.
5. Set the following properties:
   1. Purpose: Integration
   2. Categories: AI
   3. External system: Google Cloud Agentspace Enterprise
6. Select Authentication method as Server authentication (with JWT).
7. Click Create app.

Configure the Box app

1. In the Box Developer Console, choose the Platform app and then go to the Configuration tab.
2. In the App access level section, select App + Enterprise access.

3. In the Application scopes section, select the following scopes:

   1. Read all files and folders stored in Box
   2. Write all files and folders stored in Box
   3. Manage users
   4. Manage groups
   5. Manage enterprise properties

4. In the Advanced features section, select Make API calls using the as-user header.

5. In the Add and manage public keys section, click Generate a public/private keypair.

   1. The public key is automatically uploaded to the console with an ID. This ID is used when creating a connection.
   2. You can download a configuration file with the private key and passphrase. Make sure to keep this file for later use.
   3. Optionally, to generate your own key, see the Box keypair setup guide.

6. Click Save changes.

Authorize the Box app

1. In the Box Developer Console, choose the Platform app and then go to the Authorization tab.
2. Click Review and submit.
3. In the Review app authorization submission dialog, click Submit.
4. Sign in to the Box admin platform apps manager with your administrator account.
5. Choose the Platform app that you have configured.
6. Click the three dots (...) in the corresponding row.
7. Select Authorize app from the drop-down list.
8. In the Authorize app dialog, click Authorize to complete the authorization process.

Have the following Box authentication information ready:

• Enterprise ID: Obtain it from the General settings tab.
• Client ID and Client secret: Obtain it from the Configuration tab under OAuth 2.0 credentials.
• Private key, Key ID, and Passphrase: These parameters were already generated and downloaded to a local file from the Configuration tab under Add and manage public keys while configuring the app.

Create a Box connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Coda

Use the following procedure to sync data from Coda to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A Coda administrator must generate or obtain the Coda API token to integrate with Agentspace Enterprise.

Create a Coda connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Confluence Cloud

Use the following procedure to sync data from Confluence Cloud.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Verify that you have administrator access to the Confluence instance and project.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

Set up authentication and permissions in Confluence

Make sure that you have the necessary authentication details and administrator access to your Confluence instance. Use the following instructions to create a client ID and client secret through the Atlassian Developer Console, configure the required OAuth 2.0 scopes, set up permissions for users, retrieve your instance URL and ID, configure roles, and authenticate to sync data between Confluence Cloud and Agentspace Enterprise . To enable OAuth 2.0 and obtain the client ID and secret, see OAuth 2.0 (3LO) apps in the Atlassian Developer documentation.

1. Create an OAuth 2.0 integration in the Atlassian Developer Console:

   1. Sign in to Atlassian Developer Console.

   2. Click the profile icon and select Developer console.

      

   3. Click Create and select OAuth 2.0 Integration.

      

   4. Enter a name for the app and do the following:

      1. Check the terms and conditions checkbox.

      2. Click Create.

         

      3. Click Authorization.

      4. In the Authorization type table, select Add for OAuth 2.0 (3LO).

         

   5. In the Callback URL field, enter https://vertexaisearch.cloud.google.com/console/oauth/confluence_oauth.html.

   6. Click Save changes.

      

   If you see the warning: Your app doesn't have any APIs. Add APIs to your app, proceed to step 2 under the next section and complete all the remaining steps. Otherwise, skip ahead to step 4 in that same section.

To configure OAuth 2.0 and retrieve the required credentials for your Confluence connector setup, do the following:

1. Enable OAuth 2.0:

   1. Click Permissions.

      

   2. Go to Confluence API.

   3. Click Add.

   4. Click Configure.

   5. Go to the Granular scopes tab and click Edit scopes.

      

   6. Select the following scopes.

      View Scopes

      • read:attachment:confluence
      • read:configuration:confluence
      • read:content.metadata:confluence
      • read:content-details:confluence
      • read:group:confluence
      • read:space:confluence
      • read:user:confluence

   7. Confirm that seven scopes are selected and save your changes.

2. Obtain the client ID and client secret:

   1. Click Distribution.

   2. Select Edit.

      

   3. Select Sharing to enable editing other fields.

   4. Fill out the remaining fields. Make sure to set Vendor to Google and Privacy policy to policies.google.com.

   5. Select Yes when you see `Does your app store personal data?.

   6. Select Settings to copy your Client ID and Client secret.

      

3. Obtain the instance URL:

   1. Go to atlassian.net and sign in with your administrator account.
   2. Select the app you want to sync. For example, sync the first app.
   3. Find the instance URL. It appears as the subdomain in the address bar.

4. Obtain the instance ID:

   1. Open a new tab, copy the instance URL, and append /_edge/tenant_info to the instance URL. For example, https://<var>YOUR-INSTANCE</var>.atlassian.net/_edge/tenant_info.

   2. Navigate to the link to find the cloudId value. The cloudId is your instance ID.

      

Set up permissions and roles

To set the user visibility, do the following:

1. Click the user profile icon and go to Manage account.

   

2. Navigate to the Profile and visibility.

   

3. Go to Contact and set the Who can see this as Anyone.

   

To grant Confluence administrator with Discovery Engine Editor role in the Google Cloud console, do the following:

1. In the Google Cloud console, go to the Agentspace page.
2. Navigate to IAM.
3. Locate the Confluence administrator account.
4. Grant the Discovery Engine Editor role to the administrator.

To grant a user with an administrator role in Atlassian, do the following:

1. Sign in to Atlassian using an administrator account.

2. Click the menu icon and select your organization. Alternatively, you can go to admin.atlassian.com.

3. On the Admin page, click the product and select the Manage users button.

   

4. Click Groups under User management.

5. On the Groups page:

   1. Click Create group.
   2. Enter a name for the group.

   

This group receives permissions required by the connector. Users added to this group inherit these permissions.The connector uses this group to authenticate and fetch documents.

1. On the group page, click Add product.

   1. Select User access admin as the product role.

   2. Click Add.

      

2. Click Add group members to add the user account or group members that the connector uses to authenticate.

   

Create a Confluence Cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create an app.

• To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Confluence Data Center On-premises

Use this procedure to create a Confluence Data Center data store and search app in Agentspace Enterprise, syncing on-premises Confluence data with Agentspace Enterprise.

After you set up your data source and import data the first time, you can choose how often the data store syncs with that source.

Before you begin

Before setting up your connection, make sure that you have the following:

1. Service attachment (required for private destination type only): Configure a service attachment for secure data transfer.
2. Username and password: Obtain valid credentials for authentication from your Confluence administrator.
3. Optional for private destination type: Domain URL: Specify the URL of the Confluence Data Center instance.
4. Optional: Base domain name: Provide the base domain name for the Confluence instance.
5. Optional: Destination port: Identify the port used for communication with the Confluence Data Center.

6. Use the following configuration guidelines to establish connections with Private Service Connect(PSC). Adjust or add resources as needed. Make sure the PSC service attachment is properly configured to connect to the private instance and meets the requirements for a published service.

   1. Configure network settings:

      1. Place the PSC service attachment and load balancer in different subnets within the same Virtual Private Cloud network.

      2. The backend system must remain closed to the public network for security reasons. However, ensure it can accept traffic from the following sources:

         • For proxy-based/HTTP(s) load balancers (L4 proxy ILB, L7 ILB), configure the backend to accept requests from the proxy subnet in the Virtual Private Cloud network.

         • For more information, see the Proxy-only subnets for Envoy-based load balancers documentation.

   2. Adjust firewall rules:

      1. Ingress rules:

         • Allow traffic from the PSC service attachment subnet to the internal load balancer (ILB) subnet.
         • Make sure that the ILB can send traffic to the backend.
         • Permit health check probes to reach the backend.

      2. Egress rules: Enable egress traffic by default, unless specific deny rules apply.

7. Additional considerations: Make sure to keep all the components, including the PSC service attachment and load balancer, in the same region.

Generate a service attachment

Use the following steps to generate a service attachment:

1. Decide endpoint type: Select Public or Private endpoint.

2. For Public endpoint: If the Confluence Data Center Destination type is Public, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URL field of the Google Cloud console when creating your connector.

3. For Private endpoint:

   1. Use Private Service Connect (PSC) to enable connections from private instances to Google Cloud.
   2. Create a Virtual Private Cloud network and required subnets.
   3. Create a Virtual Machine (VM) instance and install the backend service.
   4. Optional: Set up a health check probe to monitor backend health.
   5. Add a load balancer to route traffic to the VM or backend.
   6. Define firewall rules to allow traffic between the PSC endpoint and the backend.
   7. Publish the endpoint by creating a PSC service attachment.

Create a Confluence Data Center user and set up permissions

To enable Agentspace Enterprise to obtain data from Confluence, you need to create a new user with the minimum permissions necessary. Follow these steps to create the user and set up the required permissions.

1. Sign in as an administrator:

   1. Go to your Atlassian domain site and open the Confluence Data Center instance.
   2. Enter the administrator username and password.
   3. Click Log In.

2. Create a new user:

   When creating a data store, you must create a user to obtain data from the third-party instance.

   1. Click the settings icon.
   2. Select User management.
   3. Enter the administrator credentials, if prompted.
   4. In the Administration page, click Create user.
   5. Enter the email address, full name, username, and password.
   6. Click Create user.

3. Assign user to a group:

   1. In the Confluence administration page, navigate to the Users and security tab and click Groups.
   2. Click Add group. Enter a name for the group and create it.
   3. In the Find group field, enter the group name to find the group.
   4. Click the settings icon.
   5. Select the profile account and navigate to User management.
   6. In the Users page, under List users, search for the newly created user in the Find user field.
   7. Click the user to open the View users page.
   8. Click Edit groups to open the Edit user group page.
   9. Select the checkbox for the created user group.
   10. Click Save to assign the user to the newly created group.

   The added user is assigned in the Group members section.

4. Configure user permissions:

   1. In the Confluence administration page, navigate to the Issues tab.
   2. Locate Permissions.
   3. Select View global permissions.
   4. Select Edit permissions.
   5. In the Edit global permissions page, search for the group assigned to the user, and enable the can use option.

Configure the documentation space

1. Click the Confluence icon to navigate to the Dashboard page.
2. Click Create space.
3. Select Documentation space and click Next.
4. Enter all the necessary details and click Create to create the documentation space.
5. Under My spaces, click the newly created space.
6. Navigate to Pages, and open the menu (three dots).
7. Select Restrictions.
8. From the Restrictions drop-down menu, select the Viewing and editing restricted option.
9. Search for the group and assign the can view permission.
10. Click Apply. The user is created with minimum access and permissions are set for spaces. You can also assign permissions to the blogs.

Create a Confluence Data Center On-premises connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect DocuSign

Use the following procedure to sync data from DocuSign to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up a connection for the DocuSign connector, make sure that you have the following credentials for authentication:

• Consumer key
• Private key
• Username

Generate keys and user credentials

Create a user in the DocuSign instance, assign the user to a group, and grant the required permissions to generate the consumer key, private key, and username needed for integration and authentication.

1. Register a DocuSign user: If you are a new user, use the following steps to create a DocuSign developer account. If you are an existing user, go to the access account details section.

   1. Go to the DocuSign developer account.

   2. Expand the Developer account drop-down and click Create account.

   3. On the Get your free developer account page, enter the required information:

      • First name
      • Last name
      • Email
      • Company
      • Country
      • DocuSign account status (if applicable)

   4. Click Get started.

   5. A Check your email window appears. Check your email for a verification code, enter it, and click Next.

   6. The Verify your mobile number window appears. Select the country code, enter your mobile number, and click Send code.

   7. Enter the temporary code received and click Verify.

   8. On the Set your password window, enter your password and click Next.

   9. The user is logged into the Sandbox environment.

2. Access account details:

   1. Click the User profile icon and select My apps & keys.

   2. The Account dashboard and Apps and keys page is displayed, showing the User ID, Account ID, and App base URL.

3. Generate apps and integration keys:

   1. Click Add app and integration key.

   2. In the Add integration key dialog, enter the app name and click Create app.

   3. The user is redirected to the app page. In the Authentication section, select Yes for the question "Is your application able to securely store a client secret?" and click Add secret key. A secret key is added.

   4. In the Service integration section, click Generate RSA.

   5. The RSA key pair dialog displays the keypair ID, public key, and private key. Copy both, as they are not displayed again.

4. Add user to production:

   1. Sign in to the DocuSign production instance.

   2. Click Admin.

   3. Navigate to Users and groups > Users.

   4. On the Seats & users page, under Seat usage, click Assign a seat.

   5. In the Add user page, enter the email address.

   6. Click Next.

   7. Complete the mandatory fields in the Profile information section.

   8. Click Next.

   9. In the Security section, add the Access code.

   10. Click Next.

   11. In the Permission profile and groups section, select the permission as Viewer.

   12. Click Add user.

   13. The Seats and users page is displayed, and the user appears under All users.

   14. Open the user email account and activate the account using the Account activation email.

   15. Click Activate, enter the Access code, and activate the account.

5. Generate RSA keypair:

   1. Navigate to Admin > Integrations > Apps and keys.

   2. On the Apps and keys page, click Actions and choose Edit for an existing app name from the Apps and integration keys section.

   3. On the App details page, go to the Service integration section and click Generate RSA.

   4. The RSA keypair dialog displays the keypair ID, public key, and private key. Copy all the details and click Close.

   5. Click the Profile icon and sign out.

6. Sign in to production instance: Sign in to the DocuSign production instance using minimum access user credentials. The Admin menu option is not displayed for the minimum access user account.

Create a DocuSign cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Dropbox

Use the following procedure to sync data from Dropbox to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For more information, see Use data source access control.

2. Have the following Dropbox authentication information ready. For information about setting up these parameters, see the OAuth Guide in the Dropbox documentation.

   • Client ID
   • Client secret

Create a Dropbox connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Entra ID

Use the following procedure to sync data from Entra ID to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. To obtain the client ID and client secret, do the following:

   1. Create an Entra ID application:

      1. Sign in to Microsoft Entra administrator center and click Application.
      2. In the Application drop-down list, click App registrations.
      3. In the App registrations page, click New registration.
      4. Click Add new registration and do the following:
         • Enter a name for the application.
         • Under Supported account types, select Accounts in the organizational directory only.
         • Under Redirect URI, add a web redirect URI pointing to: https://login.microsoftonline.com/common/oauth2/nativeclient.
      5. Click Register.

   2. Save credentials:

      On your registered application window, save the following values for later use:

      1. Use the Application (client) ID to set the Client ID parameter.
      2. Use the Directory (tenant) ID to set the Azure Tenant parameter.

   3. Create client secret:

      1. Navigate to Certificates & secrets and create a new client secret:
      2. Click New client secret and specify the required duration.
      3. Save the client secret and copy the key value for later use.

Configure Entra ID API permissions

1. On your registered application window, click API permissions.

2. Under Configured permissions, select Microsoft Graph and configure the following permission:

   View permissions

   • User.Read.All (Application)

   If you want to ingest profileCardAttributes, then configure the following permissions:

   View permissions

   • People.Read.All (Application)
   • PeopleSettings.Read.All (Application)

3. Grant admin consent for all the added permissions. An administrator's consent is required to use client credentials in the authentication flow.

Create a Entra ID connector

Test the search engine

After configuring your search engine, test its capabilities. This ensures it returns accurate results based on user access.

1. Enable web app:

   1. Go to the app integration configurations and toggle to Enable the web app.

2. Test web app:

   1. Click Open next to the web app link and sign in as a user.

   2. Verify that search results are restricted to items accessible by the user.

Preview people search results

1. In the search app, navigate to Preview and start searching within the console when using Google IdP.

   • Alternatively, navigate to the provided link and sign in with your IdP to start searching.
   • The search results appear as people cards, displaying user details such as Name, Job title, Email, and Profile picture.

2. Click a people card to view a detailed profile page, which includes the following:

   • Name
   • Profile picture
   • Job title
   • Department
   • Management chain
   • Direct reports

3. If custom attributes (profile card properties) are ingested and made indexable, searchable, and retrievable:

   • Searching by a custom attribute value returns only person profiles containing those attributes.
   • Custom attributes appear in search results, but can only be accessed through the API, not the Agentspace Enterprise user interface.

Configure the workforce pool for non-Google IdP without SSO

1. If your employees use a non-Google IdP, lack SSO with Google, or are not Google Workspace customers, set up a workforce pool as described in Use data source access control to enable the employee search.

   The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console.

2. To configure your workforce pool and enable the web app for seamless user access, do the following:

   1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

      1. Azure OIDC setup
      2. Azure SAML setup
      3. Okta & OIDC setup
      4. Okta & SAML setup

   2. Configure the workforce pool in Agentspace > Settings for the region where you create your app.

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect GitHub

Use the following procedure to sync data from GitHub to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A GitHub administrator must obtain the GitHub instance personal access token to integrate with Agentspace Enterprise.

Create a GitHub connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect GitLab

Use the following procedure to sync data from GitLab to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A GitLab administrator must obtain the GitLab instance personal access token to integrate with Agentspace Enterprise.

Create a GitLab connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Jira Cloud

Use the following procedure to sync data from Jira Cloud.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Verify that you have administrator access to the Jira instance, and project.

2. Set up access control. Ensure that access control is properly configured for your data source. This step ensures that only authorized users can access and manage the data. For more information, see Use data source access control documentation.

3. For user permissions to apply correctly, Jira Cloud users must provide sharing consent.

4. Make sure that you have an Atlassian account, Jira instance, and project.

Set up authentication and permissions in Jira

Make sure that you have the necessary authentication details and administrator access to your Jira instance. Use the following instructions to create a client ID and client secret through the Atlassian Developer Console, configure the required OAuth 2.0 scopes, set up permissions for users, retrieve your instance URL and ID, configure roles, and authenticate to sync data between Jira Cloud and Agentspace Enterprise . To enable OAuth 2.0 and obtain the client ID and secret, see OAuth 2.0 (3LO) apps in the Atlassian Developer documentation.

1. Create an OAuth 2.0 integration in the Atlassian Developer Console:

   1. Sign in to the Atlassian Developer Console.

   2. Click the profile icon and select Developer console.

      

   3. Click Create and select OAuth 2.0 Integration.

      

   4. Enter a name for the app and do the following:

      1. Check the terms and conditions checkbox.
      2. Click Create.

      

      1. Click Authorization.
      2. In the Authorization type table, select Add for OAuth 2.0 (3LO).

      

   5. In the Callback URL field, enter https://vertexaisearch.cloud.google.com/console/oauth/jira_oauth.html.

   6. Click Save changes.

      

   If you see the warning: Your app doesn't have any APIs. Add APIs to your app, proceed to step 2 under the next section and complete all the remaining steps. Otherwise, skip ahead to step 4 in that same section.

To configure OAuth 2.0 and retrieve the required credentials for your Jira connector setup, do the following:

1. Enable OAuth 2.0:

   1. Select Permissions:

      

      1. Go to Jira API.
      2. Click Add.
      3. Click Configure.
      4. Go to the Classic scopes tab and click Edit scopes.

      

      1. Select the following scopes:

         View Scopes

         • read:avatar:jira
         • read:audit-log:jira
         • read:group:jira
         • read:issue-security-level:jira
         • read:issue-security-scheme:jira
         • read:jira-user
         • read:jira-work
         • read:user:jira

   2. Confirm that eight scopes are selected, then save your changes.

   3. Go to the Granular scopes tab and click Edit scopes.

      

   4. Select the following scopes:

      View Scopes

      • read:issue-security-level:jira
      • read:issue-security-scheme:jira
      • read:group:jira
      • read:user:jira
      • read:avatar:jira
      • read:audit-log:jira

   5. Confirm that six scopes are selected, then save your changes.

2. Obtain the client ID and client secret:

   1. Click Distribution.

   2. Select Edit, and do the following:

      

      1. Select Sharing to enable editing other fields.
      2. Fill out the remaining fields. Make sure to set Vendor to Google and Privacy policy to policies.google.com.
      3. Select Yes when you see Does your app store personal data?.

   3. Select Settings to copy your Client ID and Client secret.

      

3. Obtain the instance URL:

   1. Go to atlassian.net and sign in with your administrator account.
   2. Select the app you want to sync. For example, sync the first app.
   3. Find the instance URL, which is the subdomain in the address bar.

4. Obtain the instance ID:

   1. Open a new tab, copy the instance URL, and append /_edge/tenant_info to the instance URL. For example, https://<var>YOUR-INSTANCE</var>.atlassian.net/_edge/tenant_info.

   2. Navigate to the link to find the cloudId value. The cloudId is your instance ID.

      

Set up permissions and roles

To set the user visibility, do the following:

1. Click the user profile icon and go to Manage account.

   

2. Navigate to the Profile and visibility.

   

3. Go to Contact and set the Who can see this as Anyone.

   

To grant Jira administrator with Discovery Engine Editor role in the Google Cloud console, do the following:

1. In the Google Cloud console, go to the Agentspace page.
2. Navigate to IAM.
3. Locate the Jira administrator account.
4. Grant the Discovery Engine Editor role to the administrator.

To grant a user with an administrator role in Atlassian, do the following:

1. Sign in to Atlassian using an administrator account.

2. Click the menu icon and select your organization. Alternatively, you can go to admin.atlassian.com.

3. On the Admin page, click the product and select the Manage users button.

   

4. Click Groups under User management.

5. On the Groups page:

   1. Click Create group.
   2. Enter a name for the group.

   

This group receives permissions required by the connector. Users added to this group inherit these permissions.The connector uses this group to authenticate and fetch documents.

1. On the group page, click Add product.

2. Select User access admin as the product role.

   

3. Select Product admin as the product roles.

4. Click Add.

5. Click Add group members to add a user account or group members that the connector uses to authenticate and access the required resources.

   

Create a Jira Cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create an app.

• To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Jira Data Center On-premises

Use this procedure to create a Jira Data Center data store and search app in Agentspace Enterprise, syncing on-premises Jira data with Agentspace Enterprise.

After you set up your data source and import data the first time, you can choose how often the data store syncs with that source.

Before you begin

Before setting up your connection, make sure that you have the following:

1. Service attachment (Required for private destination type only): Configure a service attachment for secure data transfer.
2. Username and password: Obtain valid credentials for authentication from your Jira administrator.
3. Optional for private destination type: Domain URL: Specify the URL of the Jira Data Center instance.
4. Optional: Base domain name: Provide the base domain name for the Jira instance.
5. Optional: Destination port: Identify the port used for communication with the Jira Data Center.

6. Use the following configuration guidelines to establish connections with Private Service Connect (PSC). Adjust or add resources as needed. Make sure the PSC service attachment is properly configured to connect to the private instance and meets the requirements for a published service.

   1. Configure network settings:

      1. Place the PSC service attachment and load balancer in different subnets within the same Virtual Private Cloud network.

      2. The backend system must remain closed to the public network for security reasons. However, ensure it can accept traffic from the following sources:

         • For proxy-based/HTTP(s) load balancers (L4 proxy ILB, L7 ILB), configure the backend to accept requests from the proxy subnet in the Virtual Private Cloud network.

         • For more information, see the Proxy-only subnets for Envoy-based load balancers documentation.

   2. Adjust firewall rules:

      1. Ingress rules:

         • Allow traffic from the PSC service attachment subnet to the internal load balancer (ILB) subnet.
         • Make sure that the ILB can send traffic to the backend.
         • Permit health check probes to reach the backend.

      2. Egress rules: Enable egress traffic by default, unless specific deny rules apply.

7. Additional considerations: Make sure to keep all the components, including the PSC service attachment and load balancer, in the same region.

Generate a service attachment

Use the following steps to generate a service attachment:

1. Decide endpoint type: Select Public or Private endpoint.

2. For Public endpoint: If the Jira Data Center Destination type is Public, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URL field of the Google Cloud console.

3. For Private endpoint:

   1. Use PSC to enable connections from private instances to Google Cloud.
   2. Create a Virtual Private Cloud network and required subnets.
   3. Create a Virtual Machine (VM) instance and install the backend service.
   4. Optional: Set up a health check probe to monitor backend health.
   5. Add a load balancer to route traffic to the VM or backend.
   6. Define firewall rules to allow traffic between the PSC endpoint and the backend.
   7. Publish the endpoint by creating a PSC service attachment.

Create a Jira Data Center user and set up permissions

To enable Agentspace Enterprise to obtain data from Jira, you need to create a new user with the minimum permissions necessary. Follow these steps to create the user and set up the required permissions.

1. Sign in as an administrator:

   1. Go to your Atlassian domain site and open Jira Data Center instance.
   2. Enter the administrator username and password.
   3. Click Log In.

2. Create a new user:

   When creating a data store, you must create a user to obtain data from the third-party instance.

   1. Click the settings icon.
   2. Select User management.
   3. Enter the administrator credentials, if prompted.
   4. In the Administration page, click Create user.
   5. Enter the email address, full name, username, and password.
   6. Click Create user.

3. Assign user to a group:

   1. In the Administration page, under User management, click Groups.
   2. Create a group by entering a name and clicking Add group.
   3. Select the newly created group.
   4. Click Add/Remove users.
   5. Click the member icon located next to the Add members to selected groups box.
   6. Select the newly created user and click Save the selection.
   7. Click Add selected user to see new users in the group members section.

   You can see the added user is assigned in the Group members section.

4. Configure user permissions:

   1. In the Administration page, navigate to the Issues tab.
   2. Select Permission schemes.
   3. Click Add permission scheme.
   4. Enter a name for the scheme and click Add.
   5. Select the scheme and click the Permission icon.
   6. Click Grant permission.
   7. Add the following permissions, assign these permissions to the group created earlier, and click Grant:
      1. Browse projects.
      2. Browse projects archive.
   8. Add this scheme to projects where users in the group need access to view the project, issues, comments, worklogs, and attachments.

Configure application access

1. In the Administration page, navigate to the Applications tab.
2. Under the Applications tab, select Application access.
3. Search for the created group and select it.
4. Verify that the group appears in the access list.

The user is created with minimum access. This schema is added to the projects. The Jira administrator can add more members to that group or add users to that project.

Create a Jira Data Center on-premises connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Marketo Cloud

Use the following procedure to sync data from Marketo Cloud to Agentspace Enterprise..

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up the connection, make sure that you have the authentication credentials, including a client ID and client secret.

Generate authentication credentials

1. Create a Marketo administrator user:

   1. Sign in to Marketo with the administrator user instance.
   2. From the Home tab, click Admin.
   3. Navigate to Security > Users & roles and click Go to admin console.
   4. In the Adobe console, under Quick links, click Add users.

   5. In the Add users to your team dialog:

      1. Enter your email address.
      2. Select the product subscription as Marketo Engage – googledevsandbox.
      3. Click Save.

   6. Return to Marketo admin > Security > Users & roles and locate the newly created user.

   7. Select the user and click Edit.

   8. Remove the Standard user role and assign the Admin role.

   9. Click Save.

2. Create a Marketo client ID and secret key:

   1. Go to the Marketo auth services instance.
   2. Enter the administrator credentials and then click Continue.
   3. Click Admin.
   4. In the Admin dashboard, go to Security > Users & roles.
   5. Click Create API only user.

   6. In the Create new API only user window, do the following:

      1. Fill in the required fields:

         • Email
         • First name
         • Last name

      2. Select the required roles, and click Create API only user.

   7. Click Admin and then navigate to Integration > LaunchPoint.

   8. Click New > New services.

   9. In the New services window, do the following:

      1. Enter a Display name for identification.
      2. In the Service field, select Custom.
      3. Enter a description.
      4. In the API only user field, select the previously created API user.
      5. Click Create. The API user appears in the Installed services page.

   10. In the Installed services page, navigate to the API user row.

   11. Under the Details column, click View details to retrieve the Client ID and Secret key.

Create a Marketo Cloud connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Microsoft Outlook

Use the following procedure to sync data from Microsoft Outlook to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A Microsoft Outlook administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • Client ID
   • Client secret
   • Tenant ID

3. Configure the following scopes:

   View scopes

   • Calendars.Read
   • Calendars.ReadBasic.All
   • Contacts.Read
   • Mail.Read
   • Mail.ReadBasic
   • Mail.ReadBasic.All
   • User.Read.All
   • User.ReadBasic.All

Create a Microsoft Outlook connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Microsoft Teams

Use the following procedure to sync data from Microsoft Teams to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. A Microsoft Teams administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • Client ID
   • Client secret
   • Tenant ID

3. Configure the following Microsoft Graph (Application) permissions with the consent of a Microsoft Teams administrator:

   View scopes

   • TeamSettings.Read.All
   • GroupMember.Read.All
   • User.Read.All
   • Directory.Read.All
   • ChannelSettings.Read.All
   • Chat.ReadBasic.All
   • ChannelMessage.Read.All
   • Chat.Read.All
   • Files.Read.All
   • ChannelMember.Read.All

Create a Microsoft Teams connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Monday

Use the following procedure to sync data from Monday to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection, make sure that you have the domain URL, administrator access, and API token.

To generate the account URL and API token, do the following:

1. Sign in to the Monday application with your administrator account.
2. Click the Profile icon.
3. Select Administration.
4. Navigate to the General tab and enter the Account name and Account URL.
5. Return to the Profile icon and select Developers.
6. On the Monday developer center page, click My access tokens.
7. Click Show to display the token.
8. Copy the token for use in authentication.

Create a Monday connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Notion

Use the following procedure to sync data from Notion to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connector:

1. In addition to the third-party connector allowlist, this connector requires that your project is added to an additional allowlist. To be added to this allowlist, contact your Agentspace Enterprise account team.

2. A Notion administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   • API token of the Notion instance
   • Workspace ID

3. Set up access control for your data source. For information about setting up access control, see Use data source access control.

Create a Notion connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Okta

Use the following procedure to sync data from Okta to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connector, make sure that you have the domain URL and administrator access to the Okta instance. Use the following steps to obtain the Okta instance URL, client ID, and API token.

1. To obtain the Okta instance URL, do the following:

   1. Sign in to the Okta login page with your administrator credentials.
   2. Click your profile icon or navigate directly to the Admin console. Your Okta instance URL appears as the subdomain in the address bar.

2. To generate the client ID and API token, do the following:

   1. Sign in to your Okta instance URL with your administrator account.
   2. Navigate to the Admin dashboard.
   3. Click the Applications icon and select Applications.
   4. Click Create app integration.
   5. Select OIDC - OpenID Connect.
   6. Select Web application as the application type, and then click Next.
   7. Enter a name in the App integration name field.
   8. Scroll to see Assignments, select Skip group assignment for now.
   9. Click Save.
   10. In the Client credentials window, click Edit.
   11. Select Public key / Private key.
   12. Under Public key, click Add key.
   13. Click Generate new key, and then click Done and Save.
   14. A dialog appears; click Save.
   15. Under General settings, click Edit.
   16. Select Client credentials, and then click Save.

Create a Okta connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect OneDrive

Use the following procedure to sync data from OneDrive to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. Have the following OneDrive authentication information ready:

   1. Client ID, client secret, and tenant ID. For information about setting up these parameters, see Quickstart: Register an application with the Microsoft identity platform in the Microsoft documentation.

   2. Specify scopes for access. An administrator role is required. For more information, see Quickstart: Configure a client application to access a web API in the Microsoft Entra documentation.

   3. Configure the following scopes:

      View scopes

      • Files.Read.All (Application)
      • Group.Read.All (Application)
      • User.Read.All (Application)

Create a OneDrive connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Salesforce

Use the following procedure to sync data from Salesforce to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. Have the following authentication information ready. For information about setting up client ID and client secret in Salesforce, see Configure a connected app for the OAuth 2.0 client credentials flow in the Salesforce documentation.

   • Instance URL
   • Consumer ID
   • Consumer secret

The following limitations apply:

1. Use either an Enterprise or Developer plan. Trial accounts are not supported.
2. Make sure that you are using Sales Cloud. Service Cloud is not supported.
3. Add Google Cloud to Salesforce CORS allowlist. Go the next step if you have already completed this task.
   1. Follow the instructions in the Salesforce documentation to configure the CORS allowlist.
   2. Enter https://console.cloud.google.com/ as an origin URL and save your configuration.

Create a Salesforce connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create a search app.

• To preview how your search results appear after your app and data store are set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect ServiceNow

Use the following procedure to sync data from ServiceNow.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection, ensure you have the following in place:

1. ServiceNow instance: Create a ServiceNow instance by following the instructions on the ServiceNow Developer documentation.

2. Google Cloud project: Set up a Google Cloud project with an administrator account capable of managing organization-level configurations, ensuring the organization can set up a workforce pool.

3. Workforce pool: Make sure your organization is set up to manage a workforce pool.

Set up ServiceNow

ServiceNow offers two primary sites:

1. Main ServiceNow site: The site for your ServiceNow instance.

   • Manages users, groups, and system administration tasks.
   • URL: The URL for your ServiceNow instance.
   • Sign in using your administrator credentials.

2. Developer site:

   • Configures the knowledge base, sets up workflows, and develops custom applications.
   • URL: https://developer.service-now.com.
   • Sign in using your ServiceNow ID.

To create an OAuth endpoint, do the following:

1. Sign into the main ServiceNow instance with an administrator role.

2. Navigate to All > System OAuth > Application registry.

   

3. Click New.

   

4. Click Create an OAuth API endpoint for external clients.

   

5. Fill in the required fields:

   1. Name: Enter a Unique name.
   2. Redirect URL: Enter the redirect URL.

6. Click Submit to create the credential.

   

7. After submission, click the name to view the Client ID.

   

8. The secret is masked. Click the lock icon next to it to unmask and view client secret.

   

9. Save the Client ID and Client secret for later use.

   

To retrieve ServiceNow instance credentials, do the following:

1. Go to developer.service-now.com and click Manage instance password.

   

2. Keep a copy of the instance URL, username, and password to use when required.

At this stage, all five pieces of information needed to set up a ServiceNow data store are available. If there are no concerns with using the administrator role to pull data, proceed to creating a data store.

Set up roles and permissions

Elevate the administrator role to security_admin to manage users and roles.

1. Click your profile icon and then select Elevate role.

   

2. Select security_admin and then click Update. The security_admin role helps to create roles and manage users.

   

1. Use administrator role: You can use an administrator role to pull data. You can either use the default administrator role configured with the instance, or create a new user with an administrator role using the following instructions.

   1. Go to All > User administration > Users.

      

   2. Create a new user with a name.

      

   3. Enable Web service access only. When you select Web service access only, you create a non-interactive user.

      Interactive users vs. non-interactive users: Interactive users can sign in to the ServiceNow UI or service portal using their username and password. They can access an instance through a URL that points to a UI page, form, or list. They can also connect using single sign-on methods such as digest authentication or security assertion markup language (SAML). Additionally, they can use their credentials to authorize SOAP connections if permitted by strict security settings, and they have unrestricted access to other API connections such as WSDL, JSON, XML, or XSD.

      Whereas, non-interactive users can only use their credentials to authorize API connections like JSON, SOAP, and WSDL. They cannot sign in to the ServiceNow UI and can only access the instance through API protocols.

   4. After user creation, select the user from the users list.

      

   5. Click Roles > Edit.

      

   6. Add Admin.

   7. Click Save to add a list of roles to the user.

      

   8. Click Set password, auto-generate, and save it.

      

2. Custom role (Recommended): Using the administrator role may not suit teams or organizations that want to avoid assigning overly powerful permissions. This option provides a role with three specific permissions that grant the required access.

   1. Go to All > System security > Users and groups > Roles.

      

   2. Select New, enter a name.

      

   3. Click Submit.

      

   4. Find the created role in the list.

      

   5. Navigate to Contains roles > Edit.

      

   6. Add the following roles to the newly created role, and then click Save.

      • catalog_admin
      • knowledge_admin
      • incident_manager

      

   7. Confirm updates.

      

   8. The following figure shows the custom role that include three roles:

      

3. Custom role with ACL rules: This option requires category_admin and knowledge_admin roles. It provides the minimal set of permissions.

   1. Go to All > User administration > Roles.

      

   2. Click New.

      

   3. Provide a name and Submit.

      

   4. Go to System security > Access control (ACL).

      

   5. Click New to create a new ACL rule.

      

   6. Repeat the following two steps until you grant access to all required tables.

      1. Use sys_user_role as an example to see how table access is granted.

         

      2. Click Submit and select the role.

      The connector needs access to these tables for each entity to run successfully.

Table name	Description
incident	Show incidents in search results.
sc_cat_item	Show catalog items in search results.
sc_cat_item_user_criteria_mtom	Enforce ACL by accessing catalog item user criteria.
sc_cat_item_user_criteria_no_mtom	Enforce ACL by accessing catalog item user criteria.
sc_cat_item_user_mtom	Enforce ACL by accessing catalog item user criteria.
sc_cat_item_user_no_mtom	Enforce ACL by accessing catalog item user criteria.
kb_knowledge	Show knowledge items in search results.
kb_knowledge_base	Show knowledge base in search results.
kb_uc_can_contribute_mtom	Enforce ACL by accessing who can contribute to knowledge base.
kb_uc_can_read_mtom	Enforce ACL by accessing knowledge user criteria.
sys_user_role	Enforce ACL by accessing user roles.
sys_user_has_role	Enforce ACL by accessing role information of users.
sys_user_group	Enforce ACL by accessing user group segments.
sys_user_grmember	Enforce ACL by accessing group membership of users.
sys_user	Enforce ACL by accessing user table.
core_company	Enforce ACL by accessing company attributes.
cmn_location	Enforce ACL by accessing location attribute.
cmn_department	Enforce ACL by accessing department attributes.
user_criteria	Enforce ACL by accessing user criteria.

To run successfully, the catalog item entity connector also requires explicit access to all fields of the sc_cat_item table.

To grant and verify the ACL access, do the following:

1. Grant explicit access by creating a new ACL rule and manually entering sc_cat_item.* in the Name field of the form.

   

2. Verify that all the ACLs are updated.

3. Go to sys_security_acl_role_list.do in the search bar.

   

4. Select Role with the role that you want to verify.

   

5. Verify that all the required ACLs are assigned to the role.

Grant role to a user

1. Go to All > User administration > Users.

   

2. Find or create a new user.

   

3. If no user is available, go to System security > Users and groups > Users.

   

4. Click New.

   

5. Create a new service account in the user table. Make sure to click Web service access only.

   

6. Scroll to Roles.

   

7. Click Edit.

   

8. Grant the role you created and assign it to the user. Based on the type of role you created in the previous step, select the appropriate one and assign it to the user. Click Save.

   

   OR

   

9. View the custom role with ACL.

   

10. Obtain the username and password for the user and click Set password.

    

11. Auto-generate a password and keep it for later use.

    

Create a ServiceNow connector

Configure the workforce pool

The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console. To configure your workforce pool and enable the web app for seamless user access, do the following:

1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

   1. Azure OIDC setup
   2. Azure SAML setup
   3. Okta & OIDC setup
   4. Okta & SAML setup

2. Configure the workforce pool in Agentspace > Settings for the region where you create your app.

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create an app.

• To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect SharePoint Data Center On-premises

This section describes the process to create a SharePoint Data Center on-premises connector.

Sync data from SharePoint Data Center on-premises

Use the following procedure to sync data from SharePoint Data Center on-premises.

After setting up your data source and importing data for the first time, the data store synchronizes data from the source at the frequency specified during configuration.

Before you begin

Before setting up your connection, do the following:

1. Service attachment (required for private destination type only): Use the following steps to generate a service attachment for secure data transfer.

   1. Decide endpoint type: Select Public or Private endpoint.

   2. For Public endpoint: If the SharePoint Data Center Destination type is Public, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URL field of the Google Cloud console when creating your connector.

   3. For Private endpoint:

      1. Use private service connect (PSC) to enable connections from private instances to Google Cloud
      2. Create a Virtual Private Cloud network and required subnets.
      3. Create a virtual machine (VM) instance and install the backend service.
      4. Optional: Set up a health check probe to monitor backend health.
      5. Add a load balancer to route traffic to the VM or backend.
      6. Define firewall rules to allow traffic between the PSC endpoint and the backend
      7. Publish the endpoint by creating a PSC service attachment.

2. Username and password: Obtain valid credentials for authentication from your SharePoint administrator.

3. Optional for the private destination type: Domain URL: Keep the domain URL of the SharePoint Data Center instance if the instance is behind a proxy or SSL-based connection.

4. Optional: Base domain name: Provide the base domain name for the SharePoint instance.

5. Optional: Destination port: Identify the port used for communication with the SharePoint Data Center.

6. Use the following configuration guidelines to establish connections with Private Service Connect (PSC). Adjust or add resources as needed. Make sure the PSC service attachment is properly configured to connect to the private instance and meets the requirements for a published service.

   1. Configure network settings:

      1. Place the PSC service attachment and load balancer in different subnets within the same Virtual Private Cloud network.

      2. The backend system must remain closed to the public network for security reasons. However, ensure it can accept traffic from the following sources:

         • For proxy-based/HTTP(s) load balancers (L4 proxy ILB, L7 ILB), configure the backend to accept requests from the proxy subnet in the Virtual Private Cloud network.

         • For more information, see the Proxy-only subnets for Envoy-based load balancers documentation.

   2. Adjust firewall rules:

      1. Ingress rules:

         • Allow traffic from the PSC service attachment subnet to the internal load balancer (ILB) subnet.
         • Make sure that the ILB can send traffic to the backend.
         • Permit health check probes to reach the backend.

      2. Egress rules: Enable egress traffic by default, unless specific deny rules apply.

7. Additional considerations: Make sure to keep all the components, including the PSC service attachment and load balancer, in the same region.

Create a SharePoint minimum access permission user and set up permissions

To create a SharePoint minimum access permission user, obtain a username and password from an administrator. The administrator must sign in and follow these steps to create a new user in the SharePoint Data Center instance:

1. Click the Start menu and navigate to Windows administrative tools > Active directory users and computers.
2. Launch the Active directory users and computers application.
3. Expand the organization unit and navigate to the Users container where the new user is added.
4. Right-click on Users and select New > User.
5. In the New object:User window, enter the following details:
   • First name (do not use a comma or dot)
   • Full name
   • User logon name
6. Click Next.
7. Enter and confirm the password, then select:
   • User cannot change password
   • Password never expires
8. Click Next, then Finish.
9. Locate the created user in the Users section, double-click on it, and select Properties.
10. In the Properties window, add an email for the user and click Apply.

Assign minimum access permissions to the SharePoint user

1. Navigate to the Site collection.
2. Click Settings (gear icon menu).
3. Go to Site Permissions.
4. Select Advanced permissions settings.
5. Locate and select the SiteName visitors group (this group is automatically created when the site is set up and has default read access).
6. Add the user to the SiteName visitors group to grant them read-only access.

Note: This access inherits all permissions for lists, libraries, pages, and events that have read permissions.

Configure the site collection in SharePoint

1. Sign in to the SharePoint admin console using the administrator username and password.
2. In the Central administration page, navigate to Application management.
3. Click Create site collections.
4. In the Create site collection page:
   • Enter the required details in the Title and Description fields.
   • In the Web site address section, enter the URL name for the site.
5. In the Primary site collection administrator section:
   • Click the Browse button next to the User name field.
   • In the Select people dialog, enter the administrator username and click the search icon.
   • Select the user and click Ok.
6. The Site successfully created page appears, displaying the site URL.
7. Copy the URL and open it in a new tab to access the site.

Sign in with the created user

1. Use the created user's credentials to sign in to the SharePoint site.
2. Verify access and permissions for the user.

Create a SharePoint Data Center On-premises connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create an app.

• To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect SharePoint Online

Use the following procedure to sync data from SharePoint Online.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. Grant administrator consent. For information about how to grant consent, see Grant tenant-wide administrator consent to an application in the Microsoft Entra documentation.

3. Prepare the following Sharepoint Online authentication information to use during setup:

   1. Instance URL. In the form http://DOMAIN_OR_SERVER/[sites/]WEBSITE —for example, mydomain.sharepoint.com/sites/sample-site.

   2. Federated authentication requires the tenant ID and client ID, while OAuth requires the tenant ID, client ID, and client secret. To register the application, select Accounts in this organizational directory only for the sign-in audience, and then locate this authentication information. For more information, see Quickstart: Register an application with the Microsoft identity platform in the Microsoft Entra documentation.

   3. When registering the application, use https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html as the web callback URL.

4. The following table describes the roles that are recommended for configuration and their limitations.

   View roles

   Roles	Client application registration	Fetch content of all entities	Fetch ACL	Fetch identity	Notes
   Site Admins	No	Yes	Yes	Yes
   Site Collection administrator	No	Yes	Yes	Yes
   Global administrator	Yes	No	Yes	No	Limitation: The global administrator cannot fetch identity or comment and attachment entities.
   Site owner	No	Yes	Yes	No	Limitation: The Site owner relates to Microsoft 365 administrator center / Entra administrator center, not specific to SharePoint.
   Application administrator	Yes	N/A	N/A	N/A	The application administrator role is related to Microsoft 365 administrator center / Entra administrator center. It is not specific to Sharepoint.

   Use this method for granular control over SharePoint REST API permissions, allowing you to restrict resource access on the user account. Make sure to create a new SharePoint user, which might add licensing costs. Use the OAuth 2.0 refresh token method to set up an Entra application registration and enable secure access to SharePoint.

Permissions required for this task

These permissions are needed to set up the Sharepoint connector in Step 1.d. in the following task.

Add and grant admin consent for the following Microsoft Graph permissions:

Permission	Description
GroupMember.Read.All	Read all group memberships
Sites.FullControl.All	Full control over all sites
Sites.Read.All	Read all sites
User.Read.All	Read all users' full profiles

Add and grant admin consent for the following Sharepoint permissions:

Permission	Description
AllSites.FullControl	Have full control of all site collections
AllSites.Read	Read items in all site collections

Configure Entra application registration

Set up an Entra application registration to enable secure access to SharePoint. Choose between Federated credentials for token-based access or OAuth 2.0 refresh token for granular control. Use the following steps to configure the app registration, grant permissions, and establish authentication.

1. Federated credentials: Set up federated credentials to securely allow Google to access SharePoint using cryptographically signed tokens, avoiding the need for a real user principal. To configure permissions and grant access, do the following:

   1. Obtain service account client ID:

      1. In the Google Cloud console, go to the Agentspace Enterprise page.
      2. In the navigation menu, click Data stores.
      3. Click add Create data store.
      4. On the Select a data source page, scroll or search for SharePoint Online to connect your third-party source.
      5. Note the Subject identifier. Don't click Continue yet. Perform the next steps in this task and then complete the steps in the Google Cloud console by following the instructions in Create a SharePoint Online connector.

         

   2. Register app in Microsoft Entra:

      1. Navigate to Microsoft Entra admin center.
      2. In the menu, expand the Applications section and select App registrations.
      3. On the App registrations page, select New registration.

         

      4. Create an app registration on the Register an application page:

         • In the Supported account types section, select Accounts in the organizational directory only.
         • In the Redirect URI section, select Web and enter the redirect URI.
         • Keep other settings default and click Register.

           

      5. Note the Client ID and Tenant ID.

         

   3. Add federated credentials:

      1. Go to Certificates & secrets > Federated credentials > Add credential.

         

      2. Use the following settings:

         • Federated credential scenario: Other issuer
         • Issuer: https://accounts.google.com
         • Subject identifier: Use the value of Subject identifier that you noted in Google Cloud console in Step 1.a.v.
         • Name: Provide a unique name.

      3. Click Add to grant access.

         

   4. Set API permissions:

      

      1. Add and grant admin consent for the following Microsoft Graph permissions with the type set to Application:

         • GroupMember.Read.All: Read all group memberships.
         • Sites.FullControl.All: Full control over all sites.
         • Sites.Read.All: Read all sites. Use Sites.Selected to assign specific site permissions instead of Sites.FullControl.All. Sites.Selected can't be directly configured through the UI. After selecting Sites.Selected, you must call the Microsoft Graph API to explicitly grant the fullcontrol role to the application for the sites you want to crawl.
         • User.Read.All: Read all users' full profiles.

           

      2. Add and grant admin consent for the following SharePoint permissions with the type set to Delegated:

         • AllSites.FullControl: Have full control of all site collections
         • AllSites.Read: Read items in all site collections

           

2. OAuth 2.0 refresh token: Configure OAuth 2.0 authentication using a client secret and a refresh token from the SharePoint user to enable granular control over SharePoint API access. To set up app registration, add a client secret, and assign API permissions, do the following:

   1. Create app registration:

      1. Navigate to Entra administrator center.

      2. Create an app registration:

         • Supported account types: Accounts in the organizational directory only.
         • Redirect URI: https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html.

      3. Note the Client ID and Tenant ID.

         

   2. Add client secret:

      1. Go to Certificates & secrets > New client secret.

         

      2. Note the secret string.

         

   3. Set API permissions:

      1. Add and grant administrator consent for the following permissions:

         • GroupMember.Read.All: Read all group memberships.
         • Sites.FullControl.All: Full control of all site collections.
         • User.Read.All: Read all users' full profiles.
         • AllSites.FullControl: Full control over all sites.

      2. Use a dedicated user account with limited access to specific sites.

      3. Make sure the account has Owner access to the selected sites.

Create a SharePoint Online connector

Test the search engine

After configuring your search engine, test its capabilities. This ensures it returns accurate results based on user access.

1. Enable web app:

   1. Go to the app integration configurations and toggle to Enable the web app.

2. Test web app:

   1. Click Open next to the web app link and sign in with a user in your workforce pool.

   2. Verify that search results are restricted to items accessible by the logged-in user.

Configure the workforce pool

The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console. To configure your workforce pool and enable the web app for seamless user access, do the following:

1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

   1. Azure OIDC setup
   2. Azure SAML setup
   3. Okta & OIDC setup
   4. Okta & SAML setup

2. Configure the workforce pool in Agentspace Enterprise > Settings for the region where you create your app.

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create an app.

• To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Slack

Use the following procedure to sync data from Slack.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

2. To follow the steps in Configure your Slack app, you must have the permissions to install new apps in your workspace, that's included in the Workspace Owner role. Contact your Workspace Primary Owner to be assigned as a Workspace Owner.

3. Understand that by default, Slack restricts crawling and syncing content from private channels, group messages, and direct messages.

Permissions required for this task

These permissions are needed to generate a bot token

• users:read.email
• channels:history
• channels:read
• groups:history
• groups:read
• im:history
• im:read
• mpim:history
• mpim:read
• team:read
• users:read
• files:read

These permissions are needed to generate a user token

• users:read.email
• channels:history
• channels:read
• groups:history
• groups:read
• im:history
• im:read
• mpim:history
• mpim:read
• users:read
• files:read

Configure the Slack app

The Slack connector requires an access token to be able to ingest documents from your Slack workspace. To obtain an access token to allow Agentspace Enterprise to ingest documents from your Slack workspace.

For more information, see Quickstart and How to quickly get and use a Slack API token in the Slack documentation.

There are two different types of tokens you can use:

• Bot token
  • Benefits:
    • It's not tied to a specific user.
    • It can have a more secure access to private Slack channels, instant messages (IM), and multi-person instant messages (MPIM). The members involved in those channels and messages can invite the bot.
    • The bot can also be invited to public channels. When configuring the bot token, you can add the channels:join permission for the crawler to automatically attempt to join all public channels.
  • Limitations:
    • When the bot attempts to join public channels, a join message is sent to the channel.
• User token
  • Benefits:
    • It can access all public channels without the need to join them beforehand.
  • Limitations:
    • It's tied to a specific user.
    • With user token, users can't crawl private channels, IMs, and MPIMs that they're not a part of.

Configure bot token

The following steps show you how to configure a bot token:

1. Sign in to Slack API Apps.
2. Click Create new app.

   

3. Select From scratch. This option lets you configure the app's information, scopes, settings, and features.

   

4. Enter a name for your app. The name you select is visible to all Slack users.
5. Select the workspace for integration. Because you can't change an app's workspace later, ensure that you select the correct workspace.

   

6. Click Create app.
7. In the sidebar, select OAuth & permissions.

   

8. Under Bot token scopes, add the following required scopes:

   class="showalways">View scopes

   • channels:history
   • channels:read
   • files:read
   • groups:history
   • groups:read
   • im:history
   • im:read
   • mpim:history
   • mpim:read
   • team:read
   • users:read
   • users:read.email
   By default, the bot reads from the #general and #random channels.

   

9. To enable the bot to crawl the channels, do the following:
   1. For public channels, do one of the following:
      • Invite the bot manually.
      • Grant the channels:join scope to allow the bot to attempt join automatically.
   2. For private channels, invite the bot manually.
10. On the same page, click Install to WORKSPACE_NAME.

    

11. Follow the on-screen instructions to install the app and after the app is installed, copy and note the bot's OAuth token.

    

Configure a user token

The following steps show you how to configure a bot token:

1. Sign in to Slack API Apps.
2. Click Create new app.

   

3. Select From scratch. This option lets you configure the app's information, scopes, settings, and features.

   

4. Enter a name for your app. The name you select is visible to all Slack users.
5. Select the workspace for integration. Because you can't change an app's workspace later, ensure that you select the correct workspace.

   

6. Click Create app.
7. In the sidebar, select OAuth & permissions.

   

8. Under User token scopes, add the following required scopes:

   class="showalways">View scopes

   • channels:history
   • channels:read
   • files:read
   • groups:history
   • groups:read
   • im:history
   • im:read
   • mpim:history
   • mpim:read
   • team:read
   • users:read
   • users:read.email

   

9. On the same page, click Install to WORKSPACE_NAME.

   

10. Follow the on-screen instructions to install the app and after the app is installed, copy and note your user OAuth token.

    

Create a Slack Cloud connector

Next steps

• To attach your data store to an app, create an app and select your data store following the steps in Create an app.

• To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect WordPress

Use the following procedure to sync data from WordPress to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up the connection, ensure you have the following:

• Username and password: Obtain the credentials from the WordPress administrator.
• Site URL: Use this URL for data store creation.

Create a WordPress user

To create a WordPress user, obtain a username and password from an administrator. The administrator must sign in and follow these steps to create a new user in the WordPress instance.

1. Sign in as an administrator:

   1. Navigate to your hosting platform and sign in with your administrator credentials to access your WordPress website.
   2. Click the Website icon.
   3. Click WordPress admin for your site.

2. Create a new user:

   1. On the WordPress admin page, navigate to the Users tab.
   2. Click Add new.
   3. Fill in all the required details, including:
      • Username
      • Email address
      • Optional: First and last name
      • Role
      • Password (if prompted)
   4. Click Add new user to save the changes.

Create a WordPress connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.

Connect Zendesk

Use the following procedure to sync data from Zendesk to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

1. In addition to the third-party connector allowlist, this connector requires that your project is added to an additional allowlist. To be added to this allowlist, contact your Agentspace Enterprise account team.

2. Set up access control for your data source. For information about setting up access control, see Use data source access control.

3. A Zendesk administrator must generate or obtain the following for integrating with Agentspace Enterprise:

   1. Access token. API Token of your Zendesk instance.
   2. Instance URI.

Create a Zendesk connector

Next steps

• To attach your connector to an app, create an app and select your connector following the steps in Create a search app.

• To preview how your search results appear after your app is set up, see Get search results. If you used third-party access control, see Preview results for apps with third-party access control.