To create the connection between G-Suite and vScope you need a super admin account in G-Suite. In this step-by-step guide we’ll walk through how to create a project with sufficient read permissions in G-Suite, that’s to be added to vScope to inventory your G-Suite directory.
Adding G Suite allows you to view user accounts, groups and devices in vScope.
Part 1 – Creating a project & service account on Google Cloud Platform
a) Log in to cloud.google.com/console with the super admin account. Click Create Project.
b) Choose a project name, vScope for example. The location is where on the domain you put the project. Try to place the project as high as possible in the domain for the best data quality.
c) With the project created it’s time to create a credential. Go to the navigation menu in the top left corner and go to “API & Services” and click on “Credentials”.
d) Click on “+Create Credentials” and choose “Service account”.
e) Service account details – Enter your preferred details for the service account.
f) Service account permissions – Select the role “Owner”.
g) Access to the service account – Click on “+Create Key” and choose the key type JSON. You will automatically download the key file after you click create. Click on Done.
Part 2 – Set up OAuth for the application
a) With the credential in place it’s time to set up the permissions. In the credentials view there’s now a new option available. Click on the “Configure Consent Screen” button.
b) OAuth consent screen 1 – Choose the “Internal” option and click create.
c) OAuth consent screen 2 -> All that’s needed in this view is an Application name. Enter your preferred name and scroll down and save.
Part 3 – Enable domain-wide delegation for the service account
a) Go back to the Credentials view.
b) Click on the service account email (hyperlinked) and enter its settings.
c) Expand the “Domain-Wide Delegation” options and check the box to enable G Suite Domain-wide Delegation. Don’t forget to save the new settings.
Step 4 – Set up the API permissions
a) With the application and service account correctly set up it’s time to grant it the required API permissions. Open the menu and navigate to APIs & Services -> Library.
b) Search for “admin sdk” in the library and click on it.
c) Enable the API permission by clicking on “Enable”.
Step 5 – Set up API client access
a) Navigate to admin.google.com and enter the Security section.
c) Click on “Manage API client access”.
d) Copy and paste the client ID from the key (in the document opened in NotePad earlier) as “Client Name” and copy+paste the following rows as “One or More API Scopes”. Make sure that they are separated by commas.
e) Now go back to the Security section and scroll down to “API Permission”.
g) Now click on the “Add app” dropdown menu.
Step 6 – Enter the credentials into vScope
Done! All that’s left to do is to enter the credentials into vScope and inventory your G-Suite directory.
a) Go to Discovery Manager -> Credentials and click on G-Suite.
b) Enter the credentials required:
- Service Account Email – Found in the key document from step 1.i
- Service Account User – Impersonated person, an email that should be an admin in G-Suite
- Domain – The G-Suite domain
- Private Key – Found in the key document from step 1.i
Don’t hesitate to contact our Support at firstname.lastname@example.org. They are happy to help!