Google Workspace SCIM integration - sync not working after intial sync

@"laz.h_1P"

Thanks for the sync button - really appreciate it!

As for the other limitations you've noted, these are mostly by design.
I'd argue it's a bad design then imo - this sync must be improved to be practical. Also the current behaviour (that it only listens to changes made by the Admin API) should be mentioned explicitly in the integration docs as limitation.
Only listening to change events from the Admin API - which can be missed when a admin adds group members through groups.google.com - is imo a big security risk. What if there is a user in a privileged group and we want to remove him? In the current design it can happen that the user remains in the privileged 1password group forever - unknowingly.
considering that the desired state can be reached by running a sync that's the solution we will recommend for now.
Running a sync might be a solution but this must be fully automatic and happen on a regular, reasonably short interval (like every 10 minutes). It's not practical for an admin to go manually to the admin page every hour to click the sync button to ensure the 1password group is sync is working.

on direct/indirect group memberships:

We have no concept of nested groups in 1Password, so we opted to flatten out the group memberships and require a direct sync.
I don't think the sync does any flattening at the moment. In fact I think this what you should do: Have the scim bridge traverse the group hierarchy (incl. nested groups), get all the direct+indirect members and then add all the google group members (direct or indirect) as direct members into the corresponding 1password group. This is what actual "flattening" would look like.

Best, Christian