Google Workspace integration

Integrate Identity Security Posture Management (ISPM) with your Google Workspace.

1. Create a project
2. Create a service account
3. Create keys for the service account
4. Enable API access
5. Configure domain-wide delegation for the service account
6. Share the parameters with ISPM

Before you begin

Ensure that you have the Google Workspace super admin privilege.

Create a project

1. Sign in to your Google Cloud Console and open the Navigation menu.

2. Go to IAM & AdminManage Resources.

   

3. Click + Create Project.
4. Enter the required information such as the project name, organization, and location.
5. Click Create.

Create a service account

1. Open the Navigation menu and go to IAM & Admin Service Accounts.
2. Select the project that you created.

   

3. Click + CREATE SERVICE ACCOUNT.
4. In the Service account details section, enter a name and a description for the service account. You can keep the auto-generated service account ID or change it.
5. Click CREATE AND CONTINUE.
6. In the Grant this service account access to project (optional) section, click Continue. Don't add any roles.
7. In the Grant users access to this service account (Optional) section, add users who own or can access this service account.
8. Click Done.

Create keys for the service account

1. For the new service account you created, open the options menu from the Actions column.
2. Select Manage keys.
3. On the Keys page, click ADD KEY.
4. Select Create new key.
5. Select JSON as the format for the key.
6. Click Create. This creates a credentials JSON file. These are the credentials that allow the service account to access Google Workspace.
7. Click Close.

Enable API access

1. Sign in to your Google Cloud Console and open the Navigation menu.

2. Go to APIs & Services Enabled APIs & services.
3. Check if Admin SDK API, Service Usage API, and Cloud Identity API appear in the APIs & Services list.
4. If they aren't listed, complete these steps for each API to enable it:

   1. Click + ENABLE APIS AND SERVICES.

   2. Search for and select an API using the search bar.

   3. Select the tile corresponding to the API.

   4. Click Enable.

Configure domain-wide delegation for the service account

1. Sign in to your Google Workspace Admin Console and open the Navigation menu.
2. Go to Security Access and data control API controls.
3. In the Domain wide delegation section, click MANAGE DOMAIN WIDE DELEGATION.
4. Click Add new.
5. In the Client ID field enter the client_id value. You can find this value in the credentials JSON file that you generated while creating the service account.

   

6. In the OAuth Scopes field, enter the following scopes as comma-separated values.

   

   Copy

   https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/cloud-platform.read-only,https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly,https://www.googleapis.com/auth/cloud-identity.policies.readonly

7. Click Authorize.

Share the parameters with ISPM

1. In the Identity Security Posture Management console, go to SettingsConnected sources.

2. Select Google Workspace.
3. Enter the following parameters:
   • The credentials JSON file that you created in the Create a service account section.
   • The email address of a Google Workspace super admin.
4. Click Submit.

Related topic

Google Cloud Platform integration