Google Workspace · Arazzo Workflow

Google Workspace Audit a User's Group Memberships

Version 1.0.0

Confirm a user exists, then list every group the user belongs to.

1 workflow 1 source API 1 provider
View Spec View on GitHub CalendarCollaborationEmailProductivityStorageVideo ConferencingArazzoWorkflows

Provider

google-workspace

Workflows

audit-user-groups
List all groups a confirmed user belongs to.
Reads the user to confirm it exists, then lists the groups the user is a direct member of using the userKey filter on the groups list.
2 steps inputs: accessToken, userKey outputs: groups, primaryEmail, userId
1
lookupUser
getUser
Read the user to confirm the account exists and capture its id and primary email for the group lookup.
2
listUserGroups
listGroups
List all groups the confirmed user belongs to by filtering the groups list on the user's primary email.

Source API Descriptions

openapi
directoryApi https://raw.githubusercontent.com/api-evangelist/google-workspace/refs/heads/main/openapi/admin-sdk-directory-api.yml

Arazzo Workflow Specification

google-workspace-audit-user-groups-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Google Workspace Audit a User's Group Memberships
  summary: Confirm a user exists, then list every group the user belongs to.
  description: >-
    Produces a membership report for a single user. The workflow reads the user
    to confirm the account exists and capture its primary email, then lists all
    groups the user is a member of by passing the userKey filter to the groups
    list. This adapts a membership-lookup theme to the operations the directory
    spec actually supports, since the API exposes no standalone members
    resource. Every step spells out its request inline so the flow can be read
    and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: directoryApi
  url: ../openapi/admin-sdk-directory-api.yml
  type: openapi
workflows:
- workflowId: audit-user-groups
  summary: List all groups a confirmed user belongs to.
  description: >-
    Reads the user to confirm it exists, then lists the groups the user is a
    direct member of using the userKey filter on the groups list.
  inputs:
    type: object
    required:
    - accessToken
    - userKey
    properties:
      accessToken:
        type: string
        description: OAuth 2.0 bearer access token with the user.readonly and group.readonly scopes.
      userKey:
        type: string
        description: Primary email, alias, or unique id of the user to audit.
  steps:
  - stepId: lookupUser
    description: >-
      Read the user to confirm the account exists and capture its id and
      primary email for the group lookup.
    operationId: getUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
      primaryEmail: $response.body#/primaryEmail
  - stepId: listUserGroups
    description: >-
      List all groups the confirmed user belongs to by filtering the groups
      list on the user's primary email.
    operationId: listGroups
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: userKey
      in: query
      value: $steps.lookupUser.outputs.primaryEmail
    - name: maxResults
      in: query
      value: 200
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      groups: $response.body#/groups
  outputs:
    userId: $steps.lookupUser.outputs.userId
    primaryEmail: $steps.lookupUser.outputs.primaryEmail
    groups: $steps.listUserGroups.outputs.groups