Whitelisting and auditing of ApplicationIntegrationToolset

[maheshwaritanay]

Hi team,

we are using ApplicationIntegrationToolset to connect with enterprise tools like JIRA, confluence, tables. We want to be able to whitelist the entities and actions at user level. I tried searching for the examples but couldnt find. Is there any provision to do this?

Also need help for relevant documentation to use application integration UI. How these integrations can be used in google ADK other than default ExecuteConnection.

[adk-bot]

Response from ADK Answering Agent (experimental, answer may be inaccurate)

TLDR: You can configure whitelisting at the toolset level and handle user-specific permissions via OAuth2. Auditing is best done through logging, and you can use Application Integration workflows directly in addition to ExecuteConnection.

---

Hi @maheshwaritanay,

Thanks for your questions. Here are some pointers on how to achieve what you're looking for with the ApplicationIntegrationToolset.

Whitelisting Entities and Actions

You can control which entities and actions are exposed by the toolset during its initialization. The ApplicationIntegrationToolset constructor accepts entity_operations and actions parameters to whitelist them at a global level. [2]

For user-level permissions, the recommended approach is to use an authentication scheme like OAuth 2.0. [4] When a user authenticates, the ApplicationIntegrationToolset will operate with that user's permissions, effectively enforcing user-specific access control defined in the target application (JIRA, Confluence, etc.). The agent will only be able to perform actions that the authenticated user is permitted to do.

Auditing

For auditing, the best practice is to implement robust logging within your agent. You should create logs for all actions performed by the toolset, attributing each action to the user who initiated it. This ensures you have a clear audit trail. You can find more on this in the ADK documentation on safety and security best practices. [3]

Application Integration UI Documentation

When you refer to the "application integration UI", it could mean a couple of things:

1. Google Cloud Console: If you are using Google Cloud's Application Integration, the UI for building and managing integrations is in the Google Cloud Console. You can find the official documentation for that on the Google Cloud website.
2. ADK API Server UI: When you run an ADK agent with an API server, it automatically generates a Swagger/OpenAPI UI for your agent's tools. This UI allows you to test and interact with your agent's capabilities. You can find more about this in the API Server documentation. [5]

Using Integrations Beyond ExecuteConnection

The ApplicationIntegrationToolset is not limited to ExecuteConnection with Integration Connectors. It can also be used to invoke Application Integration workflows directly. To do this, you would use the integration and triggers parameters in the toolset's constructor to specify the target integration and its entry points. [1]

This allows you to build more complex, multi-step automations in Application Integration and trigger them from your ADK agent.

I hope this helps you get started! Let us know if you have more questions.

[1] Using Google Cloud tools - Application Integration
[2] application_integration_toolset.py source
[3] Safety
[4] Authentication in custom tools
[5] API Server