Skip to content

Connecting GCP and CIEM

Once you have configured your GCP account, you can connect it to CIEM using a SaaS connector or VA-based connector:

Choose your next step based on your configuration

When you have completed the steps for your connection type, you can aggregate and mark the entitlement types that grant cloud access. You can then view the effective access those entitlements grant on aggregated Google Cloud Platform resources and include cloud entitlements in certification campaigns.

FedRamp Limitations

SailPoint CIEM FedRamp customers can register a maximum of 650 GCP projects.

Using the Google Workspace SaaS Connector

If you are using Google Workspace SaaS, follow the SailPoint Connector guide to enable SailPoint CIEM.

Important

In the Connection Settings, select Service Account from the Grant Type dropdown list. CIEM does not support the Client Credential grant type.

After a successful test connection, you can optionally set the source scope before aggregating accounts and marking the entitlement types that grant cloud access.

Note

If you have previously configured both the Google Workspace SaaS and SailPoint CIEM GCP connectors, you do not need to take additional action to continue receiving your data.

Setting Source Scope for SaaS-Based Connections

By default, SailPoint CIEM reads and automatically discovers changes to your cloud infrastructure. You can choose to exclude scopes to prevent SailPoint CIEM from including data for those accounts.

When you exclude scopes, SailPoint CIEM will only read and include data from selected scopes. When Auto-Include Scopes is disabled, new and deleted folders and projects in your cloud system will be detected, but SailPoint CIEM will not automatically include data from new scopes until you select the folders and projects individually or reenable Auto-Include Scopes.

To change the scope of your included source data when using a SaaS-based connector:

  1. In the Google Workspace SaaS source, select Cloud Scopes under Aggregation and Provisioning.

  2. Use the checkboxes to change which subscriptions are included. Removing a scope disables Auto-Include Scopes.

    List of cloud scopes. 3 are deselected and Auto-Include Scopes is disabled.

  3. Select Save.

Notes

  • You can search for scopes as well as filter by selected and unselected scopes.
  • The Last Refreshed time is when changes to your source inventory were last detected by SailPoint CIEM. This is separate from aggregation.

You will next aggregate accounts and mark the entitlement types that grant cloud access.

Using the Google Workspace VA-Based Connector

If you are onboarding SailPoint CIEM using a VA-based connector instead of SaaS, you must configure both the Google Workspace VA-based connector and the SailPoint CIEM GCP connector.
G Suite VA-based connector Allows you to manage your GCP accounts, groups, and roles in Identity Security Cloud on virtual appliances.

If your organization has licensed a SailPoint cloud management solution, it will also gather data on the cloud resources users are granted through your GCP organization, projects, accounts, and role assignments.
SailPoint CIEM GCP connector Works with the Google Workspace VA-based connector to collect cloud resource data and display the total access an identity has on aggregated resources from your GCP cloud systems.

You may connect your Google Workspace VA-based and SailPoint CIEM GCP sources in any order.

Connecting the Google Workspace VA-Based Connector

  1. Follow the SailPoint Connector guide to configure or edit the Google Workspace connector.

  2. In the CIEM Settings tab, select the Manage Cloud Resources toggle and enter your organization ID in the Cloud Resource Management Settings configuration to enable it to gather cloud data.

    Cloud Resource settings with a toggle to manage cloud resources for the provided Organization ID.

You must then use the SailPoint CIEM GCP connector to display all access users have to your cloud resources.

Connecting SailPoint CIEM GCP

The SailPoint CIEM GCP source pulls data daily about the cloud resources your GCP IaaS users can access.

To register SailPoint CIEM GCP:

  1. Go to Admin > Connections > Sources > Create New.
  2. Find the CIEM GCP source type and select Configure.
  3. Enter a source name.
  4. Enter a description for your source.
  5. In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.
  6. (Optional) Select a governance group for source management.
  7. Select Save.

  8. Select Connection Settings in the left panel.

    The C.I.E.M. G.C.P. connection settings are displayed with the org ID, admin email, and service account JSON credential fields.

  9. In the GCP Organization ID field, enter the 10-digit organization ID. You can find this in the Google Cloud Platform console by selecting the dropdown list with your project or organization name. Select the All tab and copy the organization ID.

    The G.C.P. admin console with the Organization ID displayed on the All tab.

  10. Enter an email with admin access to the Google Admin Console.

    Note

    The domain must be the same as the organization name. For example, if the organization name is "testorg.com", then the admin email will need to be formatted like "smith@testorg.com".

  11. Paste the JSON you received when creating the key for the service account.

  12. Select Save.
  13. Select Review and Test.

  14. Review the configuration details and select Test Connection. A successful test is required for SailPoint CIEM to gather data for this source.

    Notes

    • If the test connection fails, you can use the Search query name:“Test_connection Source Failed” for more information.

    • Some GCP asset types are excluded from SailPoint CIEM.

After a successful test connection, you can set the source scope or move on to marking the entitlement types that grant cloud access.

Setting Source Scope for VA-Based Connections

By default, SailPoint CIEM reads and automatically discovers changes to your cloud infrastructure. If you are using a VA, you can choose to exclude scopes to prevent SailPoint CIEM from including data for those accounts.

When you exclude scopes, SailPoint CIEM will only read and include data from selected scopes. When Auto-Include Scopes is disabled, new and deleted folders and projects in your cloud system will be detected, but they will not be automatically included in your SailPoint CIEM data until you select them individually or reenable Auto-Include Scopes.

To change the scope of your included source data when using a VA-based connector:

  1. In the CIEM GCP source, select Cloud Scopes under Aggregation and Provisioning.

  2. Use the checkboxes to change which accounts are included. Removing a scope disables Auto-Include Scopes.

    List of cloud scopes. 3 are deselected and Auto-Include Scopes is disabled.

  3. Select Save.

Notes

  • You can search for scopes as well as filter by selected and unselected scopes.
  • The Last Refreshed time is when changes to your source inventory were last detected by SailPoint CIEM. This is separate from aggregation.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.