Google Workspace (G Suite)

Google Workspace Integration Guide

Introduction

Google Workspace (G Suite) is a powerful suite of tools that helps teams collaborate and communicate effectively. It can be integrated with a variety of other tools to streamline workflows and improve efficiency. This guide will walk you through the steps required to integrate Google Workspace with Perimeters.

Available Features

  • Misconfiguration Rules

  • Identity Rules

  • User Inventory

  • Shadow Application Inventory

  • Devices Inventory

  • Shadow Application Rules

Prerequisites

  • A Google Workspace (G Suite) Business Starter subscription or higher.

  • A user account within the Google Workspace instance with the required privileges, or a Super Admin account.

Required Privileges

Scope
Use

https://www.googleapis.com/auth/userinfo.email

See your primary Google Account email address

https://www.googleapis.com/auth/userinfo.profile

See your personal info, including any personal info you've made publicly available

https://www.googleapis.com/auth/directory.readonly

See your organization's GSuite directory

https://www.googleapis.com/auth/admin.directory.user.readonly

See info about users on your domain

https://www.googleapis.com/auth/admin.directory.user.security

Read permissions for users on your domain

https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

View delegated admin roles for your domain

https://www.googleapis.com/auth/admin.directory.group.readonly

View groups on your domain

https://www.googleapis.com/auth/admin.directory.device.mobile.readonly

View your mobile devices' metadata

https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly

View your ChromeOS devices' metadata

https://www.googleapis.com/auth/admin.directory.domain.readonly

View domains related to your customers

https://apps-apis.google.com/a/feeds/domain/

View Google Single Sign On information

https://www.googleapis.com/auth/apps.groups.settings

View the settings of a G Suite group

https://www.googleapis.com/auth/admin.reports.audit.readonly

View audit reports for your G Suite domain

https://www.googleapis.com/auth/gmail.readonly

View your email messages and settings

https://www.googleapis.com/auth/gmail.metadata

View your email message metadata such as labels and headers, but not the email body

Onboarding Google Workspace (G Suite) in your Perimeters account

  1. Go to "Integrations" -> Select "Google Workspace" -> Click "+ Add" -> Click "+ Start Integration".

  2. "OAuth" - Click "Sign in with Google" -> Check all the scopes checkboxes and click on "Continue".

  3. Click "Finish" to complete the onboarding process.

Once you have completed these steps, Google Workspace (G Suite) should be successfully integrated with your Perimeters account.

Note: Perimeters uses and transfers information using Google APIs. It does so in accordance with its privacy policy and in compliance with the Google API Services User Data Policy.

Granting Additional Feature Access

To allow access to users' data without their explicit consent, add scopes in Domain Wide Delegation. Feature details, required scopes, and steps are outlined below.

Option 1

1) Go to Google Workspace Admin Console -> Security -> Access and data control -> API Controls -> Manage Domain-wide delegation. 2) Click -> Add New Client -> Google Consent form should be presented to you with a request to grant required privileges. and add clientId as - 101707398122463816262.

3) Examine the permissions and select 'Continue' to grant authorization for your integration.

4) Once done, click on the"Validate" button below to verify the installation.

Misconfiguration Rules

The following scopes give finer misconfiguration insights on an Organization Unit level.

Scope
Use

https://www.googleapis.com/auth/cloud-identity.policies.readonly

Read Configurations

https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly

Read Single Sign On Information

https://www.googleapis.com/auth/admin.directory.orgunit.readonly

Read Organization Units

https://www.googleapis.com/auth/apps.licensing

Read User License Details

Shadow Applications

When a user grants Perimeters.io access to read organisational email metadata, our platform scans the metadata across the entire organization to detect and identify SaaS application usage (also known as Shadow IT). Perimeters.io only accesses email metadata, ensuring the security of the email content.

This process provides visibility into third-party applications being used within the organization, helping IT and security teams authorize and manage these based on potential risks and take corrective action.

Scope
Use

https://www.googleapis.com/auth/gmail.metadata

Read Users' Email Metadata

https://www.googleapis.com/auth/admin.directory.user.readonly

Read Directory Users

Shared Data

This is essential in identifying user activity and threats related to data transfers.

Scope
Use

https://www.googleapis.com/auth/drive.readonly

Read Drive Files Metadata

https://www.googleapis.com/auth/drive

Modify Files Sharing

https://www.googleapis.com/auth/drive.activity.readonly

Read Drive Files Sharing Changes

Last updated