Skip to content
Veraproof Veraproof Docs

Google Play Console Integration

Google Play Console Integration

Scimify enables SCIM provisioning for Google Play Console users, allowing you to invite team members and manage account-level permissions through your identity provider.

Overview

This integration (de)provisions users on your Google Play Console developer account. Scimify accepts standard SCIM requests from your IdP and keeps Play Console user access in sync with your identity assignments.

Key behaviors:

  • User-only — no group provisioning
  • Invite-based provisioning — new users receive a Play Console invitation (they must accept before access is active)
  • Permission management — optional googlePlayConsole_role SCIM attribute controls account-level permissions on invite and update
  • Deprovisioning — removing access removes the user from the Play Console developer account

Prerequisites

Before you start, make sure you have:

  • Play Console admin access — permission to invite users and manage permissions under Users and permissions
  • A Google Cloud project with the Google Play Developer API enabled
  • A service account created in that project, with its JSON key downloaded and stored securely
  • The service account invited in Play Console with Admin (all permissions) so Scimify can manage users
  • Your Play Console Developer ID (the numeric ID in your Play Console URL)
  • Your IdP configured for SCIM provisioning (see Okta SCIM Configuration)

For Google-side setup details, see Getting started with the Google Play Developer API.

Configuration Steps

1. Prepare Google Cloud and Play Console access

  1. In Google Cloud Console, create or select a project and enable Google Play Developer API
  2. Create a service account and download its JSON key
  3. In Google Play Console, open Users and permissions
  4. Click Invite new users and enter the service account email (from the JSON file)
  5. Grant Admin (all permissions) so Scimify can invite, update, and remove users
  6. Copy your Developer ID from the Play Console URL — for example, in
    https://play.google.com/console/developers/1234567890123456789/...
    the Developer ID is 1234567890123456789

Tip: Use a dedicated service account for Scimify rather than a personal user account, so provisioning is not tied to an individual employee.

2. Configure the integration in Scimify

  1. Navigate to the Integrations page in your Scimify admin console
  2. Create a new Google Play Console integration instance
  3. Set an instance display name (for example, Production Play Console)
  4. Enter your Developer ID
  5. Paste the full service account JSON key contents
  6. Save the configuration and use Test connection to verify access
  7. Enable the integration and copy the Scimify SCIM endpoint and API key for your IdP

3. Configure permission management (optional)

To assign Play Console permissions via SCIM, add the googlePlayConsole_role custom attribute to your IdP user profile and map it into the SCIM user payload.

If googlePlayConsole_role is omitted on create, Scimify assigns CAN_VIEW_NON_FINANCIAL_DATA_GLOBAL by default (view app information and download bulk reports, read-only).

You can send one permission or several (multi-valued attribute or comma-separated list). Use the exact permission names from Google’s DeveloperLevelPermission documentation.

4. Configure IdP SCIM

Follow the Okta SCIM Configuration guide to connect your IdP to your Scimify Google Play Console instance, then assign users to the SCIM app.

Expected behavior

When a user is assigned in your IdP

  1. Scimify checks whether the email already has access in Play Console
  2. If not, Scimify sends a new user invitation with the permissions from googlePlayConsole_role (or CAN_VIEW_NON_FINANCIAL_DATA_GLOBAL by default)
  3. The user must accept the invitation in Play Console before they have active access

When user permissions change in your IdP

  • Scimify updates the user’s account-level permissions in Play Console when googlePlayConsole_role is included in the SCIM update
  • If you send a new permission list, Scimify replaces the previous account-level permissions for that user
  • Permission changes in Play Console can take up to 48 hours to fully apply

When a user is unassigned or deactivated in your IdP

  • Scimify removes the user’s access to the Play Console developer account
  • Pending invitations are also removed

Custom SCIM Attribute Configuration

To manage Google Play Console permissions from your IdP, configure the following custom attribute.

Attribute: googlePlayConsole_role

SettingValue
TypeString (multi-valued recommended for multiple permissions)
External namespaceurn:ietf:params:scim:schemas:extension:custom:2.0:User
Attribute namegooglePlayConsole_role
DescriptionGoogle Play Console account-level permission(s) for the user
Default on createCAN_VIEW_NON_FINANCIAL_DATA_GLOBAL if not sent in SCIM

Supported permission values (use exactly as documented by Google):

PermissionDescription
CAN_MANAGE_PERMISSIONS_GLOBALAdmin (all permissions)
CAN_VIEW_NON_FINANCIAL_DATA_GLOBALView app information and download bulk reports (read-only)
CAN_VIEW_FINANCIAL_DATA_GLOBALView financial data, orders, and cancellation survey responses
CAN_MANAGE_PUBLIC_APKS_GLOBALRelease to production, exclude devices, and use app signing by Google Play
CAN_MANAGE_TRACK_APKS_GLOBALRelease to testing tracks
CAN_MANAGE_TRACK_USERS_GLOBALManage testing tracks and edit tester lists
CAN_MANAGE_PUBLIC_LISTING_GLOBALManage store presence
CAN_REPLY_TO_REVIEWS_GLOBALReply to reviews
CAN_MANAGE_ORDERS_GLOBALManage orders and subscriptions
CAN_MANAGE_APP_CONTENT_GLOBALManage policy-related pages on all apps
CAN_VIEW_APP_QUALITY_GLOBALView app quality information for all apps
CAN_MANAGE_DEEPLINKS_GLOBALManage deep links setup for all apps
CAN_EDIT_GAMES_GLOBALEdit Play Games Services projects
CAN_PUBLISH_GAMES_GLOBALPublish Play Games Services projects
CAN_MANAGE_DRAFT_APPS_GLOBALCreate, edit, and delete draft apps
CAN_CREATE_MANAGED_PLAY_APPS_GLOBALCreate and publish private apps to your organization
CAN_CHANGE_MANAGED_PLAY_SETTING_GLOBALChoose whether apps are public or organization-only
CAN_VIEW_CONNECTED_APPS_GLOBALView connected apps
CAN_EDIT_CONNECTED_APPS_GLOBALEdit connected apps

For the full authoritative list, see DeveloperLevelPermission in the Google Play Developer API reference.

Scimify accepts googlePlayConsole_role in any of these common SCIM shapes:

  • Top-level field: googlePlayConsole_role
  • Extension key: urn:ietf:params:scim:schemas:extension:custom:2.0:User:googlePlayConsole_role
  • Nested extension object: urn:ietf:params:scim:schemas:extension:custom:2.0:User{ "googlePlayConsole_role": ["CAN_VIEW_NON_FINANCIAL_DATA_GLOBAL"] }

Suggested Okta profile attribute

  1. In Okta, add a user profile attribute for your Google Play Console SCIM app:
    • Display name: Google Play Console permissions
    • Variable name: e.g. googlePlayConsoleRole
    • Type: string (or string array if your IdP supports multi-valued custom attributes)
    • External namespace: urn:ietf:params:scim:schemas:extension:custom:2.0:User
    • External name: googlePlayConsole_role
  2. Use entitlements or group rules to assign permissions (for example, CAN_MANAGE_PERMISSIONS_GLOBAL for platform admins, CAN_VIEW_NON_FINANCIAL_DATA_GLOBAL for read-only stakeholders)
  3. Map the attribute in the Okta → Scimify provisioning profile so it is included on create and update

Mapping guidance

  • Set a sensible default (typically CAN_VIEW_NON_FINANCIAL_DATA_GLOBAL) for standard employees
  • Use CAN_MANAGE_PERMISSIONS_GLOBAL sparingly — it grants full account management in Play Console
  • Per-app access is not supported in this integration version; only account-level permissions are synced

Limitations

  • Invite-based create — SCIM “create user” sends a Play Console invitation; users are not fully active until they accept
  • Account owner — the Play Console account owner cannot be fully managed via SCIM; avoid assigning the owner through this integration
  • Permission propagation — permission changes may take up to 48 hours to appear in Play Console
  • Account-level only — per-app permission grants are not supported in v1
  • No group support — this connector does not create or sync groups

Troubleshooting

  • Test connection failed
    • Confirm the service account JSON is complete and valid
    • Verify the service account email is invited in Play Console Users and permissions with Admin access
    • Confirm the Developer ID matches the ID in your Play Console URL
  • User still shows as invited
    • The user must accept the Play Console invitation email before they appear as an active user
  • Permission not updated yet
    • Play Console permission changes can take up to 48 hours; allow time before re-checking
  • Invalid role value in IdP mapping
    • Use exact Google permission names from DeveloperLevelPermission (for example, CAN_MANAGE_PERMISSIONS_GLOBAL, CAN_VIEW_NON_FINANCIAL_DATA_GLOBAL)
  • Cannot remove or update a specific user
    • The account owner and some users with restricted visibility cannot be fully managed via SCIM; adjust access manually in Play Console if needed

Need Help?

If you encounter issues configuring Scimify, your service account, or googlePlayConsole_role mappings in your IdP, contact [email protected] for assistance.