Configuring Google Cloud Platform
To configure Google Cloud Platform to work with SailPoint CIEM, you'll need to set up the project, accounts, APIs, and roles with the minimum set of permissions required to display your organization hierarchy.
Use an administrator role in the Google Cloud Platform Console and follow the directions to register your GCP account with SailPoint CIEM.
Creating Project and Service Accounts
You will need a project and attached service accounts to connect to your organization. Ensure you have selected the organization as the scope.
Follow the Google Cloud documentation to:
Compute Engine Cloud Bigtable Admin Cloud Functions Cloud SQL Admin Cloud Logging Identity and Access Management (IAM) Cloud Resource Manager Admin SDK Cloud Key Management Service (KMS) BigQuery
Additional APIs may be needed to process new types of resources.
The service account key allows the code to provide credentials to the API and will generate a JSON file. Any application can access the organization through this JSON file, so save it in a secure place.
You must now create a custom role to grant the service account access to an organization.
Granting Service Account Access to an Organization
Once you have created service accounts for the project, you must grant those accounts a set of read-only access to your Google Cloud Platform organization.
Follow the Google Cloud documentation to:
Create a custom role in your organization with the required permissions.
Permissions Description cloudasset.assets.searchAllIamPolicies Retrieve all policies attached to resources using GCP’s Cloud Asset Inventory API cloudasset.assets.searchAllResources Retrieve list of resources using GCP’s Cloud Asset Inventory API resourcemanager.folders.getIamPolicy Get the access control policy for a folder iam.roles.list List roles and relevant metadata iam.serviceAccounts.getIamPolicy Get the access control policy for a service account iam.serviceAccounts.list List service accounts and relevant metadata logging.logEntries.list List logging entries resourcemanager.folders.getIamPolicy Get the access control policy for a folder resourcemanager.folders.list List folders and relevant metadata resourcemanager.organizations.get Get the specified organization resource by ID resourcemanager.organizations.getIamPolicy Get the access control policy for an Organization resourcemanager.projects.get Get the specified project resource by ID resourcemanager.projects.getIamPolicy Get the access control policy for a project resourcemanager.projects.list List projects and relevant metadata
Granting Service Account Access to the Domain
You must grant the service account access to your Google admin domain and determine the access and privileges assigned to your service account.
Follow the Google Identity documentation to delegate domain-wide authority to the service account.
- In the Client ID field, enter the client ID that was generated when you created the service account. This can be found in the Service Accounts details page.
- In the OAuth scopes (comma-delimited) field, add:
Configuring a Restricted Admin Role
SailPoint CIEM must assume a Google Cloud Provider admin role to build the organization hierarchy and read identities (users, roles, groups). You can use the default admin role or configure a custom admin role with more restricted permissions.
To create an admin role with the minimum required permissions to be used by CIEM, follow the Google Workspace documentation to:
Create a custom role with the following privileges.
Organizational Units - Read
Users - Read
Groups - Select the checkbox.
Directory Sync - Manage Directory Sync Settings (which will automatically select Read Directory Sync Settings)
Corresponding Admin API privileges will be automatically selected.
Assign the role to an email that will be used to connect GCP with SailPoint CIEM.
You can also create a new user and assign the role to them.
Using the Command-Line Interface
You can optionally set up your GCP configuration using the command-line interface. Follow the Google Cloud documentation to install and initialize the gCloud CLI.