Google Workspace (G Suite)

Google Workspace (formerly G Suite) is a collection of cloud computing, productivity, collaboration, device, user, and data management tools developed by Google.

Types of Assets Fetched

This adapter fetches the following types of assets:

• Devices
• Users
  
  

Prerequisites

To connect Axonius to Google Workspace you need to:

1. Enable Cloud APIs
2. Create a service account and grant permissions to that service account

Parameters

1. Email of an admin account to impersonate (required) – The email of your Google Workspace (G Suite) admin.
2. JSON Key pair for the service account (required) – Upload the JSON file you have created for your service account. For more details, see the sections below.
3. Get OAuth Apps - Select to fetch the OAuth applications used by each user.

4. Fetch Cloud Identity Devices - Select whether to fetch Cloud Identity devices.
   • If enabled, the connection for this adapter will also fetch Cloud Identity devices.
   • If disabled, the connection for this adapter will not fetch Cloud Identity devices.
   Note:

   Fetching Cloud Identity devices requires:

   • Cloud Identity API enabled.
   • Additional privilege to your Google Workspace (G Suite) admin account: https://www.googleapis.com/auth/cloud-identity.devices.readonly
5. Fetch Chrome Browsers - Select whether to fetch Chrome browsers information.
   • If enabled, the connection for this adapter will fetch information about Chrome browsers.
   • If disabled, the connection for this adapter will not fetch information about Chrome browsers.
   Note:

   Fetching Chrome browsers information requires an additional privilege to your Google Workspace (G Suite) admin account: https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly

6. Fetch Calendars - Select whether to fetch users' calendars.
7. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

1. Fetch MDM devices (required, default: true) - Select this option to fetch Mobile devices and ChromeOS devices from Google Workspace.

2. Cloud Identity prefer device with recent last seen if duplicated asset name - Select whether in cases that more than one device with the same asset name is fetched from the Cloud Identify, the device with the most recent last seen will be saved under that asset name.

   • If enabled, all connections for this adapter will not save all devices with the same asset name, only the device with the most recent last seen.
   • If disabled, all connections for this adapter will save all devices with the same asset names.

3. Fetch user groups - Select whether to fetch user group memberships for each user from Google Workspace.

   • If enabled, all connections for this adapter will fetch user group memberships for each user.
   • If disabled, all connections for this adapter will not fetch user group memberships for each user.
   Note:

   Fetching user group memberships requires an additional privilege to your Google Workspace (G Suite) admin account: https://www.googleapis.com/auth/admin.directory.group.readonly

4. Ignore Cloud Identity devices without serial - Select whether to ignore devices coming from Cloud Identity without Serial Numbers.
5. Do not fetch disabled User Accounts (optional) - Select whether to exclude disabled user accounts from the fetch.

Enabling Cloud APIs

To enable the Cloud APIs

1. Go to the Google Cloud Console and select the project that you want Axonius to connect to.

2. Go to APIs & Services -> Dashboard.
   

3. Verify the following APIs are listed:

   • Admin SDK API - Required for the basic data fetch.
   • Cloud Identity API - Required only to fetch Cloud Identity devices.
   • Google Calendar API - Required to fetch Google Calendar data.

If Admin SDK does not appear in the list, click Enable APIs and Services at the top of the screen, search for Admin SDK. Then click Enable.

Creating a Service Account

To create a service account

1. Go to the Google Cloud Console and select the project that you want to create the service account in.

2. Go to IAM & admin -> Service accounts.
   

3. Click Create Service Account and fill in the details.
   

4. In the next tab, continue without setting any roles.
   

5. Click Create Key and create a JSON type key:
   

6. Your JSON key will be downloaded. Finish creating the user and go back to the service accounts screen.

7. Click on the newly created service account and then click the Edit link at the top.

8. Click Show Domain-Wide Delegation and select Enable G Suite Domain-wide Delegation.

9. Click Save to finalize the changes.
   

10. Go back to the service accounts list. You can now view the client-id for the service account. Copy it.

11. Open the G Suite Admin Panel and search for Manage API Client Access, then open it.

12. In the client name field, specify the client id of your service account. In the One or More API Scopes section, specify these scopes:

    • Required scopes:

    https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
    

    • Additional scope to fetch OAuth applications:

    https://www.googleapis.com/auth/admin.directory.user.security
    

    • Additional scope to fetch Cloud Identity devices:

    https://www.googleapis.com/auth/cloud-identity.devices.readonly
    

    • Additional scope to fetch Chrome browsers information:

    https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly
    

    • Additional scope to fetch user group memberships:

    https://www.googleapis.com/auth/admin.directory.group.readonly
    

    • Additional scope to fetch Google Calendar:

    https://www.googleapis.com/auth/calendar
    

    

13. Click Authorize.