Google Workspace (G Suite)
- 3 Minutes To Read
Google Workspace (formerly G Suite) is a collection of cloud computing, productivity, collaboration, device, user, and data management tools developed by Google.
Types of Assets Fetched
This adapter fetches the following types of assets:
To connect Axonius to Google Workspace you need to:
- Email of an admin account to impersonate (required) – The email of your Google Workspace (G Suite) admin.
- JSON Key pair for the service account (required) – Upload the JSON file you have created for your service account. For more details, see the sections below.
- Get OAuth Apps (required, default: False) - Select to fetch the OAuth applications used by each user.
- Fetch Cloud Identity Devices (required, default: False) - Select whether to fetch Cloud Identity devices.
- If enabled, the connection for this adapter will also fetch Cloud Identity devices.
- If disabled, the connection for this adapter will not fetch Cloud Identity devices.
Fetching Cloud Identity devices requires:
- Cloud Identity API enabled.
- Additional privilege to your Google Workspace (G Suite) admin account: https://www.googleapis.com/auth/cloud-identity.devices.readonly
- Fetch Chrome Browsers (required, default: False) - Select whether to fetch Chrome browsers information.
- If enabled, the connection for this adapter will fetch information about Chrome browsers.
- If disabled, the connection for this adapter will not fetch information about Chrome browsers.
Fetching Chrome browsers information requires an additional privilege to your Google Workspace (G Suite) admin account: https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly
- For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.
- Fetch MDM devices (required, default: True) - Select whether to fetch MDM devices from Google Workspace.
- If enabled, all connections for this adapter will fetch MDM devices.
- If disabled, all connections for this adapter will not fetch MDM devices.
For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.
Enabling Cloud APIs
To enable the Cloud APIs:
Go to the Google Cloud Console and select the project that you want Axonius to connect to.
Go to APIs & Services -> Dashboard.
Verify the following APIs are listed:
- Admin SDK API - Required the basic data fetch.
- Cloud Identity API - Required only to fetch Cloud Identity devices.
If it does not appear in the list, click Enable APIs and Services at the top of the screen, search for Admin SDK. Then click Enable.
Creating a Service Account
To create a service account:
Go to the Google Cloud Console and select the project that you want to create the service account in.
Go to IAM & admin -> Service accounts.
Click Create Service Account and fill in the details.
In the next tab, continue without setting any roles.
Next, click Create Key and create a JSON type key:
Your JSON key will be downloaded. Finish creating the user and go back to the service accounts screen.
Click on the newly created service account and then click the Edit link in the top.
Click Show Domain-Wide Delegation and select Enable G Suite Domain-wide Delegation.
Click Save to finalize the changes.
Go back to the service accounts list. you can now view the client-id for the service account. Copy it.
Open the G Suite Admin Panel and search for Manage API Client Access, then open it.
In the client name field , specify your client id of the service account. In the One or More API Scopes section, specify these scopes:
- Required scopes:
- Additional scope to fetch OAuth applications:
- Additional scope to fetch Cloud Idendity devices:
- Additional scope to fetch Chrome browsers information: