Workspace Admin SDK skill (stub). Use when: (1) provisioning users and groups via Directory API,
Status: stub. Production depth pending.
Admin SDK writes (create users, update groups, delete) require DWD impersonation of a Workspace super-admin, not any regular user. Grant the service account DWD with scopes like admin.directory.user and set subject: '[email protected]' in the JWT.
import { google } from 'googleapis';
const admin = google.admin({ version: 'directory_v1', auth });
// Provision a new user
await admin.users.insert({
requestBody: {
primaryEmail: '[email protected]',
name: { givenName: 'New', familyName: 'Hire' },
password: 'TempPass!2026',
changePasswordAtNextLogin: true,
orgUnitPath: '/Staff',
},
});
// Suspend a user (offboarding step 1 — retains data, blocks login)
await admin.users.update({
userKey: '[email protected]',
requestBody: { suspended: true },
});
// List group members
const { data } = await admin.members.list({ groupKey: '[email protected]' });const reports = google.admin({ version: 'reports_v1', auth });
// Who logged in from where in the last 24h
const { data } = await reports.activities.list({
userKey: 'all',
applicationName: 'login',
startTime: new Date(Date.now() - 86400000).toISOString(),
});
// Admin console actions
await reports.activities.list({
userKey: 'all',
applicationName: 'admin',
});Activities available: login, admin, drive, gmail (requires Enterprise plan), calendar, groups, mobile, meet, context_aware_access.
Trigger (HR webhook, calendar event)
─ admin.users.update { suspended: true }
─ Transfer Drive ownership to manager (Data Transfer API)
─ Remove from all groups (admin.members.delete)
─ Revoke OAuth tokens (admin.tokens.delete)
─ After N-day retention → admin.users.deleteadmin.users.delete is immediate and permanent. Always suspend first.tokens.delete per user.