Skip to content

Google Drive Permissions

To enable Data Access Security to interact with Google Apps, you must:

  1. Enable Google SDKs (Google Drive API, Admin SDK API).
  2. Create a service account and assign it domain-wide delegation.
  3. Delegate domain-wide authority to the service account.

Enabling Google SDKs

You must enable the Google Drive, Drive Activity, Admin SDK APIs.

Creating a Project

  1. Log in to your Google Apps developer console using an administrative account for your Google Apps domain.
  2. Select the Project dropdown list from the top bar and select New Project.
  3. Name the project (e.g., Data Access Security) and select Create.
  4. Wait for the project to be created and then select Select Project from the notification, or identify the project from the Dashboard page.
  5. Using the previous dropdown list, ensure the new project is selected, otherwise you may default to the previous project.

Refer to the Google Cloud Creating and managing projects documentation for more information.

Enabling Google APIs

Enable and add the following APIs:

  • Google Drive API
  • Drive Activity API
  • Admin SDK API

Creating a Service Account and Assigning it Domain-Wide Delegation

  1. In the top-left menu, choose APIs & Services > Credentials.

    Important

    This is an important step, failure to do so will mean you will create Credentials just for the last API you were in.

  2. Select Create Credentials.

  3. Select Service account.

  4. Enter a name for the new service account in "Service account name" (e.g. "svc_das").

    Note

    The user, domain, and service account name are all case sensitive.

  5. Select Create then Done.

  6. Verify that the new account is listed under within Credentials, under the Service Accounts heading.
  7. Select on newly created account, or select the Edit icon.
  8. Select the Show Domain-wide Delegation dropdown list.
  9. Select Enable G Suite Domain-wide Delegation. If you get a message "To change domain wide delegation, a product name for the OAuth consent screen must be configured…", follow the prompts and create the Consent as instructed.
  10. Select Add Key > Create new key.
  11. Select P12 under Key type.
  12. Choose Project Owner as the role for this service account.
  13. Select Create.
  14. A certificate file (.p12) is downloaded to your computer. This file is required when creating the Google Drive application.

  15. A popup window appears showing the password to the .p12 file. Save this password for future use when adding Google Drive to Data Access Security.

    Note

    This popup is displayed only once. Copy the password, or you will have to define a new service account.

  16. Copy the svc account email address <email>@<project_name>-123.iam.gserviceaccount.com. This will be needed when authorizing the service account.

  17. Select Show Domain-wide delegation and then Enable G Suite Domain wide delegation.
  18. Assign a Product Name as prompted, such as "DAS".
  19. Copy the Unique ID number (the Client ID) to use when delegating domain-wide authority to the service account.
  20. Select Save.

Delegating Domain-Wide Authority to the Service Account

  1. Go to Google administrative console.
  2. Select Security. If it is not listed, select the More controls button at the bottom of the screen.
  3. Select API Controls.
  4. Choose Domain Wide Delegation.
  5. Select Add new.
  6. Under Client ID, paste the “Unique ID” (this is the same as the Client ID) of the service account you created in the previous step.

  7. Under Oath scopes (comma-delimited), paste the following in its entirety:

    https://www.googleapis.com/auth/activity, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/drive.activity

  8. Select Authorize.

Comments