Skip to content

Prerequisites

Make sure your system fits the descriptions below before starting the installation.

Software Requirements

File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.

Permissions

To enable File Access Manager to interact with Google Apps, the high level steps are:

  1. Enable Google SDKs (Google Drive API, Drive Activity API, Admin SDK API).
  2. Create a service account and assign it domain-wide delegation.
  3. Delegate domain-wide authority to the service account. This is required to capture activities.

Enabling Google SDKs (Google Drive API, Drive Activity API, Admin SDK API)

Creating a project:

  1. Go to your Google Apps developer console: https://console.developers.google.com
  2. Make sure that you are using an administrator account for your Google Apps domain.
  3. Select Project drop down from top bar (next to Google API logo), select New Project.
  4. Name the project (e.g., “FAM”) and select Create.
  5. Wait for the project to be created and then select Select Project from the top right notification bar.
  6. Using the previous drop-down selector, ensure the new project is selected, otherwise you may default to the previous project.

Enabling Google APIs:

  1. Top left, select three lines > APIs & services.
  2. In the new project select +Enable APIs from the top bar.
  3. Using the Search box, find and enable the following APIs:
    • Google Drive API
    • Drive Activity API
    • Admin SDK API

Creating a Service Account and Assigning it Domain-wide Delegation

  1. On the top left (menu button) select APIs & Services > Credentials.

    Note

    This is an important step, failure to do so will mean you will create Credentials just for the last API you were in.

  2. Select Create Credentials.

  3. Select Service account.

  4. Enter in a name for the new service account in "Service account name" (e.g. "svc_fam").

    Note

    The user, domain, and service account name are all case sensitive.

  5. Select Create then Done.

  6. Verify that the new account is listed within Credentials, under the Service Accounts heading.
  7. Select on newly created account, or select the Edit icon.
  8. Select the Show Domain-wide Delegation drop down menu.

  9. Select Enable G Suite Domain-wide Delegation.

    Note

    If you get a message ‘To change domain wide delegation, a product name for the OAuth consent screen must be configured….’, follow the prompts and create the Consent as instructed.

  10. Select Add Key > Create new key.

  11. Select P12 under Key type.
  12. Select Project Owner as the role for this service account.
  13. Select Create.
  14. A certificate file .p12 is then downloaded to your computer, this file is required when creating the Google Drive application in Adding a Google Drive Application in File Access Manager.

  15. A popup window appears showing the password to the .p12 file. Save this password for future use within the Add New Application Wizard.

    Note

    This popup is displayed only once. Copy the password, or you will have to define a new service account

  16. Copy the svc account email address <email>@<project_name>-123.iam.gserviceaccount.com. This will be needed in the authorizing the service account step.

  17. Select Show Domain-wide delegation and then Enable G Suite Domain wide delegation.
  18. Assign a Product Name as prompted (eg FAM).
  19. Copy the Unique ID number (Client ID). This file will be needed in the authorizing the service account step.
  20. Select Save.

Delegate Domain-wide Authority to the Service Account.

This is required in order to capture activities.

  1. Go to Google administrative console at: https://admin.google.com.
  2. Select Security. If it is not listed, select the More controls button at the bottom of the screen.
  3. Select API Controls.
  4. Manage Domain Wide Delegation.
  5. Select Add new.
  6. Under Client ID, paste the Unique ID (this is the same as the Client ID) of the service account you created in the previous step.

  7. Under Oath scopes (comma-delimited), paste the following in its entirety:

    https://www.googleapis.com/auth/activity, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/drive.activity

  8. Select Authorize.

Limiting File Access Manager Permissions

During the Application setup, you must provide a Domain Admin User for File Access Manager to collect data on the Google Drive domain.

You can provide the Super Admin, or create a dedicated File Access Manager Google account with fewer permissions.

The File Access Manager Google account requires the following permissions:

  • On the desired OU (Organizational Unit) level

    • Organizational Units > Read
    • Users > Read

  • Domain-wide

    • Groups > Read
    • Reports

Note the following regarding crawling, permissions collections, and activities:

  • Crawling
    • The resource tree contains only OU users and folders for which a File Access Manager user has permissions.
  • Permissions Collection
    • File Access Manager only analyzes resources for permissions under scoped OUs.
    • Since groups are defined on a domain-wide basis, rather than by OU, File Access Manager collects all domain groups.
    • If users from OUs (for which a File Access Manager user lacks permission) have permissions on resources under the analyzed OU, those users are considered File Access Manager External Accounts, since File Access Manager cannot collect information on those users.
  • Activities
    • File Access Manager only collects activities for users for which a File Access Manager user has permissions.
    • File Access Manager collects administrator activities (such as changing users or passwords) on a domain-wide basis, rather than by user/OU.
  • Data Classification
    • File Access Manager only indexes and classifies resources collected during a crawl (only resources to which a File Access Manager user has permissions).

To create, and grant permissions to a File Access Manager Google Administrator account perform the following steps:

  1. Sign in to the Google Administrator console (admin.google.com) using the Super Admin account (or any account that can create and grant Administrator roles and create users).

  2. Select Users.

    Note

    If you cannot see Users, select the More Controls bar at the bottom of the screen.

  3. Choose an OU on which to create a File Access Manager account by hovering over the plus (+) sign at the bottom right corner of the screen.

  4. Select Add User.
  5. Enter a name and primary email address and password for the user. Ensure you note down the password for future reference (for example, IdentityIQfam_reader).
  6. Select Create.

  7. Select Admin Roles on the Google Admin console.

    Note

    To see the Admin Roles, select the More Controls bar at the bottom of the screen.

  8. Select Create a New Role. This will be the OU targeted role.

  9. Enter a role name and description (for example, File Access Manager OU Reader).
  10. Select Create.
  11. Check the following checkboxes under the Privileges tab > Admin Console Privileges:
    • Organizational Units > Read
    • Users > Read
  12. Select Save.
  13. Select the newly created role, and select Assign Admins under the Admins tab.
  14. Select the desired OU from the drop-down list and enter the name of the File Access Manager account.

  15. Select Confirm Assignment.

    Note

    The role applies to the OU and all its descendants. You can assign the role to the same user on another OU later.

  16. Select Create a New Role. This will be a domain-wide role.

  17. Enter a role name and description (for example, File Access Manager Domain Reader).
  18. Select Create.
  19. Check the Reports checkbox under the Privileges tab > Admin Console Privileges.
  20. Check the Groups > Read checkbox under the Privileges tab > Admin API Privileges.
  21. Select Save.
  22. Select the newly created role, and select Assign Admins under the Admins tab.
  23. Enter the File Access Manager account.
  24. Select Confirm Assignment.

Communications Requirements

Requirement Source Destination Port
File Access Manager Message Broker Permission Collector / Data Classification Collector RabbitMQ 5671
File Access Manager Access Activity Monitor File Access Manager Servers 8000-8008
Permissions Collector /Data Classification Collector Permissions Collector/Data Classification Google APIs https
Activity Monitoring Activity Monitor Google APIs https