Connector Overview
File Access Manager Connector for Google Drive uses the following Google APIs:
-
Google Drive Activities API and Google Reports API for event monitoring
-
Google Drive API for resource crawling and permissions collection
-
Google Admin SDK (Directory API) for domain identities (users, groups, and so on)
Google APIs are accessed via a Service Account, defined within the scope of the customer’s Google Apps Domain. The Service Account has Domain-wide delegation permission so that it can impersonate domain users and access their Google Drive activities and data.
Capabilities
This connector enables you to use File Access Manager to access and analyze data stored in Google Drive and do the following:
-
Analyze the structure of your stored data.
-
Monitor user activity in the resources.
-
Classify the data being stored.
-
Verify user permissions on the resources, and compare them against requirements.
-
Manage access fulfillment - automated granting and revoking of access - according to rules set in File Access Manager.
-
Identity collector – collect IAM users, groups and roles and the connections between them.
See the File Access Manager documentation for a full description.
Google Drive Connector Installation Flow Overview
To install the Google Drive connector:
-
Configure all the prerequisites.
-
Add a new Google Drive application in the File Access Manager website.
-
Install the relevant services:
- Activity Monitor
Note
Google Drive currently does not support the Cloud-Ready architecture for permissions collection and data classification. Permission collection and data classification tasks will run on the central engine services associated with the application, regardless of whether these services have one or more collectors associated with the central engine.
How is Google Drive Mapping Converted to a Business Resources Tree?
-
Google Drive represents files and folders in a graph (a.k.a. map) data structure so that every node may have multiple parent and children nodes. In a tree structure, however, every node can have only one parent.
For example, a folder shared by two users actually has two different parents – one in each of the user’s personal drives.
-
To maintain a recognizable structure for Google Drive resources, File Access Manager displays business resources in a tree, exactly as they are arranged from the user’s perspective.
-
When users share folders, flattening the graph structure into a tree results in duplicate resources, which are maintained to keep the structure recognizable.
-
If external users (external to the company’s Google Apps domain) share folders with domain users, a separate “External” tree root represents those resources.
-
If shared drives exist in the domain and have members assigned to them, a separate "Shared Drives" tree root represents those resources.
-
The following is a sample schematic of the File Access Manager Google Drive resource tree:
- External
- private@gmail.com
- sharedFolder1
- private@gmail.com
- Shared Drives
- Shared Drive 1
- sharedDriveFolder1
- sharedDriveFolder2
- Shared Drive 1
- Users
- u1@my-company.com
- Folder1
- Folder2
- u2@my-company.com
- u3@my-company.com
- u1@my-company.com
- External
Monitored Activities
Monitored Administrator audit events (Google Domain events) include:
- User Events and group events (USER_SETTINGS and GROUP_SETTINGS, respectively)
Permissions Collection Operation Principles
The File Access Manager Google Drive Permissions Collection task uses Google Drive API to retrieve information From Google Drive.
File Access Manager automatically creates a Google Drive Identity Collector (when the “Add New Application” wizard finishes) which collects the users and groups from the Google Apps Domain.