Google Workspace (G Suite)
Google Workspace Integration Guide
Introduction
Google Workspace (G Suite) is a powerful suite of tools that helps teams collaborate and communicate effectively. It can be integrated with a variety of other tools to streamline workflows and improve efficiency. This guide will walk you through the steps required to integrate Google Workspace with Perimeters.
Available Features
Misconfiguration Rules
Identity Rules
User Inventory
Shadow Application Inventory
Devices Inventory
Shadow Application Rules
Prerequisites
A Google Workspace (G Suite) Business Starter subscription or higher.
A user account within the Google Workspace instance with the required privileges, or a Super Admin account.
Required Privileges
https://www.googleapis.com/auth/userinfo.email
See your primary Google Account email address
https://www.googleapis.com/auth/userinfo.profile
See your personal info, including any personal info you've made publicly available
https://www.googleapis.com/auth/directory.readonly
See your organization's GSuite directory
https://www.googleapis.com/auth/admin.directory.user.readonly
See info about users on your domain
https://www.googleapis.com/auth/admin.directory.user.security
Read permissions for users on your domain
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
View delegated admin roles for your domain
https://www.googleapis.com/auth/admin.directory.group.readonly
View groups on your domain
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly
View your mobile devices' metadata
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
View your ChromeOS devices' metadata
https://www.googleapis.com/auth/admin.directory.domain.readonly
View domains related to your customers
https://apps-apis.google.com/a/feeds/domain/
View Google Single Sign On information
https://www.googleapis.com/auth/apps.groups.settings
View the settings of a G Suite group
https://www.googleapis.com/auth/admin.reports.audit.readonly
View audit reports for your G Suite domain
https://www.googleapis.com/auth/gmail.readonly
View your email messages and settings
https://www.googleapis.com/auth/gmail.metadata
View your email message metadata such as labels and headers, but not the email body
Onboarding Google Workspace (G Suite) in your Perimeters account
Go to "Integrations" -> Select "Google Workspace" -> Click "+ Add" -> Click "+ Start Integration".
"OAuth" - Click "Sign in with Google" -> Check all the scopes checkboxes and click on "Continue".
Click "Finish" to complete the onboarding process.
Once you have completed these steps, Google Workspace (G Suite) should be successfully integrated with your Perimeters account.
Note: Perimeters uses and transfers information using Google APIs. It does so in accordance with its privacy policy and in compliance with the Google API Services User Data Policy.
Granting Additional Feature Access
To allow access to users' data without their explicit consent, add scopes in Domain Wide Delegation. Feature details, required scopes, and steps are outlined below.
Option 1
1) Go to Google Workspace Admin Console -> Security -> Access and data control -> API Controls -> Manage Domain-wide delegation. 2) Click -> Add New Client -> Google Consent form should be presented to you with a request to grant required privileges. and add clientId as - 101707398122463816262.
3) Examine the permissions and select 'Continue' to grant authorization for your integration.
4) Once done, click on the"Validate" button below to verify the installation.
Misconfiguration Rules
The following scopes give finer misconfiguration insights on an Organization Unit level.
https://www.googleapis.com/auth/cloud-identity.policies.readonly
Read Configurations
https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly
Read Single Sign On Information
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
Read Organization Units
https://www.googleapis.com/auth/apps.licensing
Read User License Details
Shadow Applications
When a user grants Perimeters.io access to read organisational email metadata, our platform scans the metadata across the entire organization to detect and identify SaaS application usage (also known as Shadow IT). Perimeters.io only accesses email metadata, ensuring the security of the email content.
This process provides visibility into third-party applications being used within the organization, helping IT and security teams authorize and manage these based on potential risks and take corrective action.
https://www.googleapis.com/auth/gmail.metadata
Read Users' Email Metadata
https://www.googleapis.com/auth/admin.directory.user.readonly
Read Directory Users
Shared Data
This is essential in identifying user activity and threats related to data transfers.
https://www.googleapis.com/auth/drive.readonly
Read Drive Files Metadata
https://www.googleapis.com/auth/drive
Modify Files Sharing
https://www.googleapis.com/auth/drive.activity.readonly
Read Drive Files Sharing Changes
Last updated