Limiting Data Access Security Permissions
During the Application setup, you must provide a Domain Admin User for Data Access Security to collect data on the Google Drive domain.
You can provide the Super Admin, or create a dedicated Data Access Security Google account with fewer permissions.
Required Permissions
The Data Access Security Google account requires the following permissions:
On the desired OU (Organizational Unit) level
- Organizational Units -> Read
- Users -> Read
Domain-wide
- Groups -> Read
- Reports
You will also need the following permissions for crawling, permissions collections, and activities:
Crawling
The resource tree contains only OU users and folders for which a Data Access Security user has permissions.
Permissions Collection
Data Access Security only analyzes resources for permissions under scoped OUs.
Since groups are defined on a domain-wide basis, rather than by OU, Data Access Security collects all domain groups.
If users from OUs (for which a Data Access Security user lacks permission) have permissions on resources under the analyzed OU, those users are considered Data Access Security External Accounts, since Data Access Security cannot collect information on those users.
Data Classification
Data Access Security only indexes and classifies resources collected during a crawl (only resources to which a Data Access Security user has permissions).
Granting Google Admin Account Permissions
To create and grant permissions to a Data Access Security Google Administrator account, perform the following steps:
- Sign in to the Google Administrator console (admin.google.com) using the Super Admin account (or any account that can create and grant Administrator roles and create users).
-
Select Users.
If the User option is not displayed, select the More Controls bar at the bottom of the screen.
-
Choose an OU to create a Data Access Security account by hovering over the plus (+) sign at the bottom right corner of the screen.
- Select Add User.
- Fill in a name and primary email address and password for the user. Ensure you note the password for future reference. (For example, DAS_reader).
- Select Create.
- Select Admin Roles on the Google Admin console.
- Select Create a New Role. (This will be the OU targeted role).
- Type a role name and description.
- Select Create.
-
Navigate to Privileges tab > Admin Console Privileges and select the following checkboxes:
- Organizational Units > Read
- Users > Read
-
Select Save.
- Select the newly created role, and select Assign Admins under the Admins tab.
- Select the desired OU from the drop-down list and type the name of the Data Access Security account.
-
Select Confirm Assignment.
The role applies to the OU and all its descendants. You can assign the role to the same user on another OU later.
-
Select Create a New Role. (This will be a domain-wide role.)
- Type a role name and description (for example, Data Access Security Domain Reader).
- Select Create.
- Navigate to Privileges tab > Admin Console Privileges and select the Reports checkbox.
- Navigate to Privileges tab > Admin API Privileges to verify Groups is set to Read.
- Select Save.
- Select the newly created role, and select Assign Admins under the Admins tab.
- Type the Data Access Security account.
- Select Confirm Assignment.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.