To create the connection between Google Workspace and vScope you need a super admin account in Google Workspace. In this step-by-step guide we’ll walk through how to create a project with sufficient read permissions in Google Workspace, that’s to be added to vScope to inventory your Google Workspace directory.
Adding Google Workspace allows you to view user accounts, groups and devices in vScope.
Part 1 – Creating a project & service account on Google Cloud Platform
a) Log in to cloud.google.com/console with the super admin account. Click Create Project.
b) Choose a project name, vScope for example. The location is where on the domain you put the project. Try to place the project as high as possible in the domain for the best data quality.
c) With the project created it’s time to create a credential. Go to the navigation menu in the top left corner and go to “API & Services” and click on “Credentials”.
d) Click on “+Create Credentials” and choose “Service account”.
e) Service account details – Enter your preferred details for the service account.
f) Service account permissions – Select the role “Owner”.
g) Set yourself as service account admin.
h) Access to the service account – Click on your service account in the Credentials view.
Scroll down to Keys and click on “Add key” and create a new key.
Create the key as JSON.
i) Place the key somewhere safe and open it with NotePad. You’ll need these values later, more specifically “private key”, client_email and clientID.
Part 2 – Set up OAuth for the application
a) With the credential in place it’s time to set up the permissions. In the credentials view there’s now a new option available. Click on the “Configure Consent Screen” button.
b) OAuth consent screen 1 – Choose the “Internal” option and click create.
c) OAuth consent screen 2 -> All that’s needed in this view is an Application name. Enter your preferred name and scroll down and save.
Part 3 – Enable domain-wide delegation for the service account and add API scopes
a) Go to Admin Console, make sure you have super admin privileges to access this view. Click the drawer icon, top-left, select Show More > Seuciry > Acess and data control > API controls
b) Scroll down to the Domain Wide Delegation section and click on “Manage domain wide delegation”.
c) Click on ” Add new”.
d) Copy and paste the client ID from the key (in the document opened in NotePad earlier) as “Client Name” and copy+paste the following rows as “One or More API Scopes”. Make sure that they are separated by commas.
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.user.security,
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly
Click “Authorize”.
Step 4 – Enable API permissions
a) With the application, service account, and API scopes correctly set up it’s time to grant it the required API permissions. Open the menu and navigate to APIs & Services -> Library.
b) Search for “admin sdk” in the library and click on it.
c) Enable the API permission by clicking on “Enable”.
Service Account and API Propagation Time
Please bear in mind that having created the service account and enabled the APIs, you may encounter a propagation time before they can be used.
Step 5 – Enter the credentials into vScope
Done! All that’s left to do is to enter the credentials into vScope and inventory your Google Workspace directory.
a) Go to Discovery Manager -> Credentials and click on Google Workplace.
b) Enter the credentials required:
- Service Account Email – Found in the key document from step 1.i
- Service Account User – Impersonated person, an email that should be an admin in Google Workplace
- Domain – The Google Workplace domain
- Private Key – Found in the key document from step 1.i
Done!
Need help?
Don’t hesitate to contact our Support at support@infrasightlabs.com. They are happy to help!