# Sync GCP Project Users from GCP Groups ### **Overview** This article explains how to sync GCP project users from GCP groups into Sprinto. The process uses GCP’s `analyseIamPolicy` query with specific filters to expand groups and output group edges. This ensures that all inherited project users are detected and kept up to date in Sprinto. ### **Prerequisites** Before you begin, ensure that: * You have access to a GCP account with the required permissions. * The **`gcp-sync-org-inherited-project-users`** feature flag is enabled in Sprinto. * You have the **Group Reader** role assigned to the GCP service account used for integration. ### **Procedure** #### **1. Make the `analyseIamPolicy` query** Run the `analyseIamPolicy` query using the following filters: * `analysisQuery.options.expandGroups: true` * `analysisQuery.options.outputGroupEdges: true` These options ensure that group memberships are expanded and group edge relationships are included in the query results. #### **2. Use the `identityList.identities` list** Instead of relying on `iamBinding.members`, use the `identityList.identities` list to obtain the full set of users. This ensures that inherited users from groups are also included in the sync. #### **3. Refactor user parsing logic** Update your user parsing logic to accommodate the new query output format. #### **4. Test the configuration** Follow these steps to test the setup: 1. **Enable the feature flag** * Set `gcp-sync-org-inherited-project-users` to active in your Sprinto configuration. 2. **Grant group read permission to the GCP service account** * Go to [Google Admin Console](https://admin.google.com/) → **Account** → **Admin roles** → **Group reader**. * Under **Admins**, select **Assign service accounts**. * Enter the `client_email` of your GCP service account. * Select **Add**, then **Assign role**. 3. **Refresh Sprinto CAS users** * In Sprinto, refresh the CAS users list to apply the changes. 4. **Verify** * Confirm that project users from GCP groups are now visible in Sprinto.