> For the complete documentation index, see [llms.txt](https://docs.sprinto.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sprinto.com/monitors/authentication-and-access-monitors/sync-gcp-project-users-from-gcp-groups.md). # Sync GCP Project Users from GCP Groups ### **Overview** This article explains how to sync GCP project users from GCP groups into Sprinto. The process uses GCP’s `analyseIamPolicy` query with specific filters to expand groups and output group edges. This ensures that all inherited project users are detected and kept up to date in Sprinto. ### **Prerequisites** Before you begin, ensure that: * You have access to a GCP account with the required permissions. * The **`gcp-sync-org-inherited-project-users`** feature flag is enabled in Sprinto. * You have the **Group Reader** role assigned to the GCP service account used for integration. ### **Procedure** #### **1. Make the `analyseIamPolicy` query** Run the `analyseIamPolicy` query using the following filters: * `analysisQuery.options.expandGroups: true` * `analysisQuery.options.outputGroupEdges: true` These options ensure that group memberships are expanded and group edge relationships are included in the query results. #### **2. Use the `identityList.identities` list** Instead of relying on `iamBinding.members`, use the `identityList.identities` list to obtain the full set of users. This ensures that inherited users from groups are also included in the sync. #### **3. Refactor user parsing logic** Update your user parsing logic to accommodate the new query output format. #### **4. Test the configuration** Follow these steps to test the setup: 1. **Enable the feature flag** * Set `gcp-sync-org-inherited-project-users` to active in your Sprinto configuration. 2. **Grant group read permission to the GCP service account** * Go to [Google Admin Console](https://admin.google.com/) → **Account** → **Admin roles** → **Group reader**. * Under **Admins**, select **Assign service accounts**. * Enter the `client_email` of your GCP service account. * Select **Add**, then **Assign role**. 3. **Refresh Sprinto CAS users** * In Sprinto, refresh the CAS users list to apply the changes. 4. **Verify** * Confirm that project users from GCP groups are now visible in Sprinto. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sprinto.com/monitors/authentication-and-access-monitors/sync-gcp-project-users-from-gcp-groups.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.