DATA RECON 2.0.25

Google Apps

The instructions here work for setting up the following Google Apps products as Targets:

  • Google Drive
  • Google Tasks
  • Google Calendars

To add Google Apps as cloud Targets:

  1. Configure Google Apps Account
  2. Add Credentials
  3. Add Target

Configure Google Apps Account

Before you add Google Apps products as Targets, you must have:

  • A Google Apps administrator account for the Target Google Apps domain.
  • The Target must be a Google Apps account. Personal Google accounts are not supported.

To configure your Google Apps account for scanning:

  1. Select a project
  2. Enable APIs
  3. Create a Service Account
  4. Set up Domain-Wide Delegation

Select a project

  1. Log into the Google Developers Console.
  2. Click on Select a project ▼. The Select dialog box opens and displays a list of existing projects.

In the Select dialog box, you can:

  • Select an existing project.
  • (Recommended) Create a new project.

er2-add-cloud-google-apps-1.png

To select an existing project:

  1. Click on a project.
  2. Click OPEN.

To create a new project:

  1. Click on +.
  2. In the New Project page, enter your Project name and click Create.

Enable APIs

To scan a specific Google Apps product, enable the API for that product in your project.

To enable Google Apps APIs:

  1. Select a project.
  2. In the project Dashboard, click + ENABLE APIS AND SERVICES. This displays the API Library.
  3. Enable the Admin SDK API.
    1. Under G Suite APIs, click Admin SDK.
    2. Click ENABLE.
  4. Repeat to enable the following APIs:

    Target Google Apps Product API Library
    Google Drive Google Drive API
    Google Tasks Tasks API
    Google Calendar Google Calendar API

Create a Service Account

Create a service account for DATA RECON:

  1. Click on the er2-hamburger.png menu on the upper-left corner of the Google Developers Console.
  2. Go to IAM & Admin > Service accounts.
    er2-add-cloud-google-apps-2.png
  3. Click + CREATE SERVICE ACCOUNT.
    er2-add-cloud-google-apps-3.png
  4. In the Create service account dialog box, enter the following:
    Field Description
    Service account name Enter a descriptive label.
    Role Select Project > Owner.
    Service account ID

    Enter a name for your service account, or click the refresh button to generate a service account ID.

    An example service account ID: service-account-634@project_name-1272.iam.gserviceaccount.com

    Furnish a new private key
    1. Select Furnish a new private key.
    2. Select P12.
    Enable G Suite Domain-wide Delegation Select Enable G Suite Domain-wide Delegation.
  5. Click CREATE. The Service account and key created dialog box displays, and a P12 key is saved to your computer. Keep the P12 key in a secure location.

  6. Click Close.
  7. Write down the newly created service account’s Service account ID and Key ID.

Set up Domain-Wide Delegation

The following is a guide for setting up domain-wide delegation for existing service accounts.

To allow DATA RECON to access your Google Apps domain with the Service Account, you must set up and enable domain-wide delegation for your Service Account.

To set up domain-wide delegation:

  1. Click on the er2-hamburger.png menu on the upper-left corner of the Google Developers Console.
  2. Go to API Manager > Credentials.
  3. On the Credentials page, under OAuth 2.0 client IDs, go to the entry for your service account and take note of the Client ID. er2-add-cloud-google-apps-4.png

  4. Go to the Google Apps Admin Console. In the Admin Console, click on Security.
    er2-add-cloud-google-apps-5.png
  5. On the Security page, click Show more.
  6. Click on Advanced settings to expand it.
  7. Under Authentication, click Manage API client access. er2-add-cloud-google-apps-6.png
  8. In Manage API client access, enter:
    1. Client Name: Your Service account Client ID (For example, 116877825065678775170).
    2. One or More API Scopes: For each Google Apps product that you wish to scan, you must apply a different API Scope.
      The following is a list of API Scopes required for DATA RECON to work with each Google Apps service:

      Google Apps service API Scope
      All (required) https://www.googleapis.com/auth/admin.directory.user.readonly
      Google Drive https://www.googleapis.com/auth/drive.readonly
      Google Tasks https://www.googleapis.com/auth/tasks.readonly
      Google Calendar https://www.googleapis.com/auth/calendar.readonly
    3. Click Authorize.

Add Credentials

  1. In the main menu, click on No usernames or passwords.
    cr-targets-email-add-credentials.png

  2. Click + Add and select one of the following Target types:
    • Google Docs
    • Google Tasks
    • Google Calendars
  3. Fill in the following fields:
    • Target location: Enter the Google Apps domain.
    • Username: Enter a Google Apps domain administrator email address.

    • Password: Leave blank.
  4. Click + Add again, and select the same Target type.
  5. Fill in the following fields:
    • Target location: Enter the Google Apps domain used in step 2.
    • Username: Enter the service account name obtained in Create a Service Account.
    • Password: Enter the file name of the P12 key obtained in Create a Service Account. The P12 key must be saved in the same folder as the DATA RECON executable.
  6. (Optional) Under Encrypt credentials enter a master password to encrypt stored credentials.
    Credentials are only saved if:
  7. Click Ok.

Add Target

  1. In the main menu, click on Search all local files.
    cr-targets-email-scan-local-files.png
  2. In the Search targets dialog box, click + Add and select Cloud Storage.
  3. Select one of the following and click + to expand the selection:
    • Google Drive
    • Google Tasks
    • Google Calendars
  4. In the Add Google Apps domain field, enter the Google Apps domain name.

  5. Press Enter to add the specified Google Apps domain as a Target.
  6. (Optional) Click + to expand the added Target and select specific objects to scan.
  7. Click Select and then Ok to finish adding the Google Target.