Enterprise Recon 2.8.0

Google Workspace

This section covers the following topics:

Overview

The instructions here work for setting up the following Google Workspace products as Targets:

  • Google Drive
  • Google Tasks
  • Google Calendar
  • Google Mail

To set up Google Workspace products as Targets:

  1. Configure Google Workspace Account
  2. Set Up and Scan a Google Workspace Target

To scan a specific path in Google Workspace, see Edit Google Workspace Target Path.

Licensing

For Sitewide Licenses, all scanned Google Workspace Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Google Workspace Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
Recommended Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
  • macOS Agent
TCP Allowed Connections Port 443

Configure Google Workspace Account

Before you add Google Workspace products as Targets, you must have:

  • A Google Workspace administrator account for the Target Google Workspace domain.
  • A Google Workspace account. Personal Google accounts are not supported in ER2.

To configure your Google Workspace account for scanning:

Select a Project

  1. Log in to the Google API Console.
  2. From the projects list, select a project to scan with ER2.
    Select project in Google Cloud Console
    1. Select an existing project, or
    2. (recommended) Create a new project.

Enable APIs

To scan a specific Google Workspace product, enable the API for that product in your selected project.

To enable Google Workspace APIs:

  1. Select a Project.
  2. In the APIs & Services page, click + ENABLE APIS AND SERVICES.
  3. In the API Library page, search for and click ENABLE for the following APIs:

    Target Google Workspace Product API Library
    All Admin SDK API
    Google Mail Gmail API
    Google Drive Google Drive API
    Google Tasks Tasks API
    Google Calendar Google Calendar API

Create a Service Account

Before adding Google Workspace products as a Target, you must create a Google service account for use with ER2. The service account must have the required permissions to allow ER2 to authenticate and access (scan) the resources in your Google Workspace workspace.

To create a service account for use with ER2:

  1. Log in to the Google Cloud Console.
  2. From the projects list, select the project that you want to scan with ER2.
    Select project in Google Cloud Console
  3. Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Service Accounts.
  4. Click +CLICK SERVICE ACCOUNT.
    Create service account for project in Google Cloud Console
  5. In the Service account details section, fill in the following fields:

    Field Description
    Service account name

    Enter a descriptive name for the service account.

    Example: enterprise-recon-sa

    (Optional) Service account ID

    Edit the default ID for the service account, or click the button to generate a service account ID.

    Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com

    (Optional) Description Provide a description for the new service account.
  6. Click CREATE AND CONTINUE.
  7. In the Grant this service account access to the project section, click on the Select a role dropdown and select Project > Owner.
  8. Click CONTINUE and DONE.
  9. Back in the Service accounts page, click on the newly created service account.
  10. In the DETAILS tab, take down the:
  11. In the KEYS tab, click ADD KEY > Create new key.
  12. In the Create private key for '<service account>' dialog box, select "P12" Key type and click CREATE.
  13. Save the created P12 private key file to a secure location on your computer. This is required when you want to Set Up and Scan a Google Workspace Target.

  14. Click Close.

Set up Domain-Wide Delegation

To allow ER2 to access your Google Workspace domain with the Service Account, you must set up and enable domain-wide delegation after creating a service account.

To set up domain-wide delegation:

  1. Log in to the Google Admin Console.
  2. Click the hamburger icon to expand the navigation menu and go to Security > Access and data control > API controls.
  3. Click MANAGE DOMAIN WIDE DELEGATION and Add New.
  4. In the Client ID field, enter the Unique ID or OAuth 2 Client ID (e.g. 123456789012345678901) for the service account. See Create a Service Account - Step 10 for more information.
  5. In the OAuth scopes (comma-delimited) field, enter a comma-separated list of Google API scopes for each Google Workspace service that you want to scan with ER2.

    Google Workspace service Google API OAuth 2.0 Scope
    All (required) https://www.googleapis.com/auth/admin.directory.user.readonly
    Google Mail https://mail.google.com/
    Google Drive https://www.googleapis.com/auth/drive.readonly
    Google Tasks https://www.googleapis.com/auth/tasks.readonly
    Google Calendar https://www.googleapis.com/auth/calendar.readonly

    https://www.googleapis.com/auth/admin.directory.user.readonly, https://mail.google.com/, https://www.googleapis.com/auth/drive.readonly

  6. Click Authorize.

Set Up and Scan a Google Workspace Target

  1. Configure Google Workspace Account.
  2. From the New Scan page, Add Targets.
  3. In the Select Target Type dialog box, click on Google Workspace and select one of the following Google Workspace products:
    • Google Drive
    • Google Tasks
    • Google Calendar
    • Google Mail
  4. Fill in the following fields:
    Dialog box to configure the path, credentials and proxy agent for a Google Workspace Target.

    Field Description
    Google Workspace Domain

    Enter the Google Workspace domain you want to scan.

    For more information on how to scan specific mailboxes or accounts, see Edit Google Workspace Target Path.

    New Credential Label Enter a descriptive label for the Google Workspace credential set.
    New Username

    Enter your Google Workspace administrator account email address.

    Example: admin@example.com

    New Password

    Enter your Google Workspace service account email address.

    Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com

    See Create a Service Account - Step 10 for more information.

    Private Key

    Upload the private key (*.p12) associated with the Google Workspace service account.

    See Create a Service Account - Step 13 for more information.

    Agent to act as a proxy host Select a Proxy Agent host with direct Internet access.
  5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.
  7. (Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan.

  8. Click Next.
  9. On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
  10. On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.

  11. Click Next.
  12. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit Google Workspace Target Path

  1. Set Up and Scan a Google Workspace Target.
  2. In the Select Locations section, select the Google Workspace Target location and click Edit.
  3. In the Edit Google Workspace Location dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

    Path Syntax
    User account <user_name>
    Folder in user account <user_name/folder_name>
  4. Click Test and then Commit to save the path to the Target location.