Enterprise Recon Cloud 2.12.0

Download ER Cloud 2.12.0 User Guide (PDF)

All Documentation > ER Cloud 2.12.0 User Guide > How-to Guides > Scan Locations (Targets) Overview > Add Cloud Target > How To Scan Google Workspace

How To Scan Google Workspace

This section covers the following topics:

Overview
Licensing
Requirements
Configure Google Workspace Account
Set Up and Scan a Google Workspace Target
Edit Google Workspace Target Path

Overview

The instructions here work for setting up the following Google Workspace products as Targets:

Google Drive
Google Tasks
Google Calendar
Google Mail

To set up Google Workspace products as Targets:

Configure Google Workspace Account
Set Up and Scan a Google Workspace Target

To scan a specific path in Google Workspace, refer to Edit Google Workspace Target Path.

Instructions for configuring a cloud service account's security settings are provided here for the user's convenience only. For the most up-to-date instructions, please consult the cloud service provider's official documentation.

Licensing

For Sitewide Licenses, all scanned Google Workspace Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Google Workspace Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements	Description
Proxy Agent	Proxy Agent host with direct Internet access. Recommended Proxy Agents: Windows Agent with database runtime components Windows Agent Linux Agent with database runtime components Linux Agent macOS Agent
TCP Allowed Connections	Port 443

Description

Proxy Agent

Proxy Agent host with direct Internet access.

Recommended Proxy Agents:

Windows Agent with database runtime components
Windows Agent
Linux Agent with database runtime components
Linux Agent
macOS Agent

TCP Allowed Connections

Port 443

Configure Google Workspace Account

Before you add Google Workspace products as Targets, you must have:

A Google Workspace administrator account for the Target Google Workspace domain.
A Google Workspace account. Personal Google accounts are not supported in ER Cloud.

To configure your Google Workspace account for scanning:

Select a Project
Enable APIs
Create a Service Account
Set up Domain-Wide Delegation

Setting up a Google Workspace account as a Target location requires more work than other cloud services because the Google API imposes certain restrictions on software attempting to access data on their services. This keeps their services secure, but makes it more difficult to scan them using ER Cloud.

Select a Project

Log in to the Google API Console.
From the projects list, select a project to scan with ER Cloud.
1. Select an existing project, or
2. (recommended) Create a new project.

Enable APIs

To scan a specific Google Workspace product, enable the API for that product in your selected project.

To enable Google Workspace APIs:

Select a Project.
In the APIs & Services page, click + ENABLE APIS AND SERVICES.

In the API Library page, search for and click ENABLE for the following APIs:

Target Google Workspace Product	API Library
All	Admin SDK API
Google Mail	Gmail API
Google Drive	Google Drive API
Google Tasks	Tasks API
Google Calendar	Google Calendar API

Create a Service Account

Before adding Google Workspace products as a Target, you must create a Google service account for use with ER Cloud. The service account must have the required permissions to allow ER Cloud to authenticate and access (scan) the resources in your Google Workspace workspace.

To create a service account for use with ER Cloud:

Log in to the Google Cloud Console.
From the projects list, select the project that you want to scan with ER Cloud.
Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Service Accounts.
Click +CLICK SERVICE ACCOUNT.

In the Service account details section, fill in the following fields:

Field	Description
Service account name	Enter a descriptive name for the service account. Example: enterprise-recon-sa
(Optional) Service account ID	Edit the default ID for the service account, or click the button to generate a service account ID. Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com
(Optional) Description	Provide a description for the new service account.

Field

Description

Service account name

Enter a descriptive name for the service account.

Example: enterprise-recon-sa

(Optional) Service account ID

Edit the default ID for the service account, or click the button to generate a service account ID.

Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com

(Optional) Description

Provide a description for the new service account.

Click CREATE AND CONTINUE.
In the Grant this service account access to the project section, click on the Select a role dropdown and select Project > Owner.
Click CONTINUE and DONE.
Back in the Service accounts page, click on the newly created service account.
In the DETAILS tab, take down the:
- Email for the service account (e.g. enterprise-recon-sa@project-id.iam.gserviceaccount.com). This is required when you want to set up and scan a Google Workspace. Refer to Set Up and Scan a Google Workspace Target.
- Unique ID (or OAuth 2 Client ID) for the service account (e.g. 123456789012345678901). This is required when you set up domain-wide delegation. Refer to Set up Domain-Wide Delegation.
In the KEYS tab, click ADD KEY > Create new key.
In the Create private key for '<service account>' dialog box, select "P12" Key type and click CREATE.
Save the created P12 private key file to a secure location on your computer. This is required when you want to set up and scan a Google Workspace. Refer to Set Up and Scan a Google Workspace Target.

The dialog box displays the private key's password: notasecret. does not need you to remember this password.
Click Close.

Set up Domain-Wide Delegation

Set up domain-wide delegation with the administrator account used in Enable APIs.

To allow ER Cloud to access your Google Workspace domain with the Service Account, you must set up and enable domain-wide delegation after creating a service account.

To set up domain-wide delegation:

Log in to the Google Admin Console.
Click the hamburger icon to expand the navigation menu and go to Security > Access and data control > API controls.
Click MANAGE DOMAIN WIDE DELEGATION and Add New.
In the Client ID field, enter the Unique ID or OAuth 2 Client ID (e.g. 123456789012345678901) for the service account. For more information, refer to step 10 of Create a Service Account.

In the OAuth scopes (comma-delimited) field, enter a comma-separated list of Google API scopes for each Google Workspace service that you want to scan with ER Cloud.

Google Workspace service	Google API OAuth 2.0 Scope
All (required)	https://www.googleapis.com/auth/admin.directory.user.readonly
Google Mail	https://mail.google.com/
Google Drive	https://www.googleapis.com/auth/drive.readonly
Google Tasks	https://www.googleapis.com/auth/tasks.readonly
Google Calendar	https://www.googleapis.com/auth/calendar.readonly

https://www.googleapis.com/auth/admin.directory.user.readonly, https://mail.google.com/, https://www.googleapis.com/auth/drive.readonly

Click Authorize.

Set Up and Scan a Google Workspace Target

Configure Google Workspace Account.
From the New Scan page, add Targets. Refer to the Add Targets section.
In the Select Target Type dialog box, click on Google Workspace and select one of the following Google Workspace products:
- Google Drive
- Google Tasks
- Google Calendar
- Google Mail

Fill in the following fields:
Dialog box to configure the path, credentials and proxy agent for a Google Workspace Target.

Field	Description
Google Workspace Domain	Enter the Google Workspace domain you want to scan. If your Google Workspace administrator email is admin@example.com, your Google Workspace domain is example.com. For more information on how to scan specific mailboxes or accounts, refer to Edit Google Workspace Target Path.
New Credential Label	Enter a descriptive label for the Google Workspace credential set.
New Username	Enter your Google Workspace administrator account email address. Example: admin@example.com Use the same administrator account used to Enable APIs and Set up Domain-Wide Delegation.
New Password	Enter your Google Workspace service account email address. Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com For more information, refer to step 10 of Create a Service Account.
Private Key	Upload the private key (*.p12) associated with the Google Workspace service account. For more information, refer to step 13 of Create a Service Account.
Agent to act as a proxy host	Select a Proxy Agent host with direct Internet access.

Click Test. If ER Cloud can connect to the Target, the button changes to a Commit button.
Click Commit to add the Target.
(Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan. Refer to Probe Targets in the Start a Scan section.
Click Next.
On the Select Data Types page, select the data type profiles to be included in your scan (refer to the Use Data Type Profile section) and click Next.
On the Set Schedule page, configure the parameters for your scan. For more information, refer to Set Schedule in the Start a Scan section.
Click Next.
On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit Google Workspace Target Path

Set Up and Scan a Google Workspace Target.
In the Select Locations section, select the Google Workspace Target location and click Edit.

In the Edit Google Workspace Location dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

Path	Syntax
User account	<user_name>
Folder in user account	<user_name/folder_name>

To scan the user mailbox at user_name@example.com, enter user_name. To scan the "Inbox" folder in the user mailbox user_name@example.com, enter user_name/inbox; to scan the "Sent Mail" folder, enter user_name/sent.

Click Test and then Commit to save the path to the Target location.