DATA RECON 2.0.25

Google Apps

The instructions here work for setting up the following Google Apps products as Targets:

  • Google Drive
  • Google Tasks
  • Google Calendars

To add Google Apps as cloud Targets:

  1. Configure Google Apps Account
  2. Add Credentials
  3. Add Target

Configure Google Apps Account

Before you add Google Apps products as Targets, you must have:

  • A Google Apps administrator account for the Target Google Apps domain.
  • The Target must be a Google Apps account. Personal Google accounts are not supported.

To configure your Google Apps account for scanning:

  1. Select a project
  2. Enable APIs
  3. Create a Service Account
  4. Set up Domain-Wide Delegation

Select a project

  1. Log into the Google Developers Console.
  2. Click on Select a project ▼. The Select dialog box opens and displays a list of existing projects.

In the Select dialog box, you can:

  • Select an existing project.
  • (Recommended) Create a new project.

Select a project in the Google Developers Console to enable Google Apps APIs.

To select an existing project:

  1. Click on a project.
  2. Click OPEN.

To create a new project:

  1. Click on +.
  2. In the New Project page, enter your Project name and click Create.

Enable APIs

To scan a specific Google Apps product, enable the API for that product in your project.

To enable Google Apps APIs:

  1. Select a project.
  2. In the project Dashboard, click + ENABLE APIS AND SERVICES. This displays the API Library.
  3. Enable the Admin SDK API.
    1. Under G Suite APIs, click Admin SDK.
    2. Click ENABLE.
  4. Repeat to enable the following APIs:

    Target Google Apps Product API Library
    Google Drive Google Drive API
    Google Tasks Tasks API
    Google Calendar Google Calendar API

Create a Service Account

Create a service account for DATA RECON:

  1. Click on the Google Developers Console hamburger menu. menu on the upper-left corner of the Google Developers Console.
  2. Go to IAM & Admin > Service accounts.
    Create a service account in the Google Developers Console to use for Data Recon scans.
  3. Click + CREATE SERVICE ACCOUNT.
    Click on "Create service account button" in Google Developers Console.
  4. In the Create service account dialog box, enter the following:
    Field Description
    Service account name Enter a descriptive label.
    Role Select Project > Owner.
    Service account ID

    Enter a name for your service account, or click the refresh button to generate a service account ID.

    An example service account ID: service-account-634@project_name-1272.iam.gserviceaccount.com

    Furnish a new private key
    1. Select Furnish a new private key.
    2. Select P12.
    Enable G Suite Domain-wide Delegation Select Enable G Suite Domain-wide Delegation.
  5. Click CREATE. The Service account and key created dialog box displays, and a P12 key is saved to your computer. Keep the P12 key in a secure location.

  6. Click Close.
  7. Write down the newly created service account’s Service account ID and Key ID.

Set up Domain-Wide Delegation

The following is a guide for setting up domain-wide delegation for existing service accounts.

To allow DATA RECON to access your Google Apps domain with the Service Account, you must set up and enable domain-wide delegation for your Service Account.

To set up domain-wide delegation:

  1. Click on the Google Developers Console hamburger menu. menu on the upper-left corner of the Google Developers Console.
  2. Go to API Manager > Credentials.
  3. On the Credentials page, under OAuth 2.0 client IDs, go to the entry for your service account and take note of the Client ID. Credentials page in Google Developers Console displaying the OAuth 2.0 client ID for created service accounts.

  4. Go to the Google Apps Admin Console. In the Admin Console, click on Security.
    Select Security to manage security features in the Google Apps admin console.
  5. On the Security page, click Show more.
  6. Click on Advanced settings to expand it.
  7. Under Authentication, click Manage API client access. Select "Manage API client access" under Authentication in Advanced settings on Google Apps admin console.
  8. In Manage API client access, enter:
    1. Client Name: Your Service account Client ID (For example, 116877825065678775170).
    2. One or More API Scopes: For each Google Apps product that you wish to scan, you must apply a different API Scope.
      The following is a list of API Scopes required for DATA RECON to work with each Google Apps service:

      Google Apps service API Scope
      All (required) https://www.googleapis.com/auth/admin.directory.user.readonly
      Google Drive https://www.googleapis.com/auth/drive.readonly
      Google Tasks https://www.googleapis.com/auth/tasks.readonly
      Google Calendar https://www.googleapis.com/auth/calendar.readonly
    3. Click Authorize.

Add Credentials

  1. In the main menu, click on No usernames or passwords.

    Click "No usernames or passwords" to add credentials for a Google Target in the Data Recon dashboard.

  2. In the Search target credentials dialog box, click + Add and select one of the following Target types:
    • Google Docs
    • Google Tasks
    • Google Calendars
  3. Fill in the following fields:
    • Target location: Enter the Google Apps domain.
    • Username: Enter a Google Apps domain administrator email address.

    • Password: Leave blank.
  4. Click + Add again, and select the same Target type.
  5. Fill in the following fields:
    • Target location: Enter the Google Apps domain used in step 2.
    • Username: Enter the service account name obtained in Create a Service Account.
    • Password: Enter the file name of the P12 key obtained in Create a Service Account. The P12 key must be saved in the same folder as the DATA RECON executable.
  6. (Optional) Under Encrypt credentials enter a master password to encrypt stored credentials.

    Credentials are only saved if:
  7. Click Ok.

Add Target

  1. In the main menu, click on Search all local files.
    Click "Search all local files" to bring up "Search targets" dialog box to add a Google Apps Target in Data Recon.
  2. In the Search targets dialog box, click + Add and select Cloud Storage.
  3. Select one of the following and click + to expand the selection:
    • Google Drive
    • Google Tasks
    • Google Calendars
  4. In the Add Google Apps domain field, enter the Google Apps domain name.

  5. Press Enter to add the specified Google Apps domain as a Target.
  6. (Optional) Click + to expand the added Target and select specific objects to scan.
  7. Click Select and then Ok to finish adding the Google Target.