How to integrate Google Workspace with vScope

To create the connection between Google Workspace and vScope you need a super admin account in Google Workspace. In this step-by-step guide we’ll walk through how to create a project with sufficient read permissions in Google Workspace, that’s to be added to vScope to inventory your Google Workspace directory.

Adding Google Workspace allows you to view user accounts, groups and devices in vScope.

Part 1 – Creating a project & service account on Google Cloud Platform

a) Log in to cloud.google.com/console with the super admin account. Click Create Project.

b) Choose a project name, vScope for example. The location is where on the domain you put the project. Try to place the project as high as possible in the domain for the best data quality.

c) With the project created it’s time to create a credential. Go to the navigation menu in the top left corner and go to “API & Services” and click on “Credentials”.

d) Click on “+Create Credentials” and choose “Service account”.

e) Service account details – Enter your preferred details for the service account.

f) Service account permissions – Select the role “Owner”.

g) Set yourself as service account admin.

h) Access to the service account – Click on your service account in the Credentials view.

Scroll down to Keys and click on “Add key” and create a new key.

Create the key as JSON.

i) Place the key somewhere safe and open it with NotePad. You’ll need these values later, more specifically “private key”, client_email and clientID.

Part 2 – Set up OAuth for the application

a) With the credential in place it’s time to set up the permissions. In the credentials view there’s now a new option available. Click on the “Configure Consent Screen” button.

b) OAuth consent screen 1 – Choose the “Internal” option and click create.

c) OAuth consent screen 2 -> All that’s needed in this view is an Application name. Enter your preferred name and scroll down and save.

Part 3 – Enable domain-wide delegation for the service account

a) Go back to the Credentials view.

b) Click on the service account email (hyperlinked) and enter its settings.

c) Expand the “Domain-Wide Delegation” options and check the box to enable G Suite Domain-wide Delegation. Don’t forget to save the new settings.

Step 4 – Set up the API permissions

a) With the application and service account correctly set up it’s time to grant it the required API permissions. Open the menu and navigate to APIs & Services -> Library.

b) Search for “admin sdk” in the library and click on it.

c) Enable the API permission by clicking on “Enable”.

Service Account and API Propagation Time
Please bear in mind that having created the service account and enabled the APIs, you may encounter a propagation time before they can be used.

Step 5 – Set up API client access

a) Navigate to admin.google.com and enter the Security section.

b) Scroll down and open the API controls.

c) Scroll down to the Domain Wide Delegation section and click on “Manage domain wide delegation”.

Click on ” Add new”.

d) Copy and paste the client ID from the key (in the document opened in NotePad earlier) as “Client Name” and copy+paste the following rows as “One or More API Scopes”. Make sure that they are separated by commas.

https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.user.security,
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly

Click “Authorize”.

Step 6 – Enter the credentials into vScope

Done! All that’s left to do is to enter the credentials into vScope and inventory your Google Workspace directory.

a) Go to Discovery Manager -> Credentials and click on Google Workplace.

b) Enter the credentials required:

  • Service Account Email – Found in the key document from step 1.i
  • Service Account User – Impersonated person, an email that should be an admin in Google Workplace
  • Domain – The Google Workplace domain
  • Private Key – Found in the key document from step 1.i

Done!

Need help?

Don’t hesitate to contact our Support at support@infrasightlabs.com. They are happy to help!

Leave a Reply