Enterprise Recon 2.13.0
Google Workspace
This section covers the following topics:
- Overview
- Licensing
- Requirements
- Configure Google Workspace Account
- Set Up and Scan a Google Workspace Target
- Edit Google Workspace Target Path
Overview
The instructions here work for setting up the following Google Workspace products as Targets:
- Google Drive
    - Shared drives
 
- Google Tasks
- Google Calendar
- Google Mail
To set up Google Workspace products as Targets:
To scan a specific path in Google Workspace, see Edit Google Workspace Target Path.
Licensing
For Sitewide Licenses, all scanned Google Workspace Targets consume data from the Sitewide License data allowance limit.
For Non-Sitewide Licenses, Google Workspace Targets require Client Licenses, and consume data from the Client License data allowance limit.
See Target Licenses for more information.
Requirements
| Requirements | Description | 
|---|---|
| Proxy Agent | 
 
 | 
| TCP Allowed Connections | Port 443 | 
Configure Google Workspace Account
Before you add Google Workspace products as Targets, you must have:
- A Google Workspace administrator account for the Target Google Workspace domain.
- A Google Workspace account. Personal Google accounts are not supported in ER2.
To configure your Google Workspace account for scanning:
Select a Project
- Log in to the Google API Console.
- From the projects list, select a project to scan with
ER2.
   - Select an existing project, or
- (recommended) Create a new project.
 
Enable APIs
To scan a specific Google Workspace product, enable the API for that product in your selected project.
To enable Google Workspace APIs:
- Select a Project.
- In the APIs & Services page, click + ENABLE APIS AND SERVICES.
- 
    In the API Library page, search for and click ENABLE for the following APIs: Target Google Workspace Product API Library All Admin SDK API Google Mail Gmail API Google Drive Google Drive API Google Tasks Tasks API Google Calendar Google Calendar API 
Create a Service Account
Before adding Google Workspace products as a Target, you must create a Google service account for use with ER2. The service account must have the required permissions to allow ER2 to authenticate and access (scan) the resources in your Google Workspace workspace.
To create a service account for use with ER2:
- Log in to the Google Cloud Console.
- From the projects list, select the project that you want to scan with
ER2.
  
- Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Service Accounts.
- Click +CLICK SERVICE ACCOUNT.
  
- 
    In the Service account details section, fill in the following fields: Field Description Service account name Enter a descriptive name for the service account. Example: enterprise-recon-sa (Optional) Service account ID Edit the default ID for the service account, or click the button to generate a service account ID. Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com (Optional) Description Provide a description for the new service account. 
- Click CREATE AND CONTINUE.
- In the Grant this service account access to the project section, click on the Select a role dropdown and select Project > Owner.
- Click CONTINUE and DONE.
- Back in the Service accounts page, click on the newly created service account.
- In the DETAILS tab, take down the:
    - Email for the service account (e.g. enterprise-recon-sa@project-id.iam.gserviceaccount.com). This is required when you want to Set Up and Scan a Google Workspace Target.
- Unique ID (or OAuth 2 Client ID) for the service account (e.g. 123456789012345678901). This is required when you Set up Domain-Wide Delegation.
 
- In the KEYS tab, click ADD KEY > Create new key.
- In the Create private key for '<service account>' dialog box, select "P12" Key type and click CREATE.
- 
    Save the created P12 private key file to a secure location on your computer. This is required when you want to Set Up and Scan a Google Workspace Target. The dialog box displays the private key's password: notasecret. ER2 does not need you to remember this password.
- Click Close.
Set up Domain-Wide Delegation
To allow ER2 to access your Google Workspace domain with the Service Account, you must set up and enable domain-wide delegation after creating a service account.
To set up domain-wide delegation:
- Log in to the Google Admin Console.
- Click the hamburger icon to expand the navigation menu and go to Security > Access and data control > API controls.
- Click MANAGE DOMAIN WIDE DELEGATION and Add New.
- In the Client ID field, enter the Unique ID or OAuth 2 Client ID (e.g. 123456789012345678901) for the service account. See Create a Service Account - Step 10 for more information.
- 
    In the OAuth scopes (comma-delimited) field, enter a comma-separated list of Google API scopes for each Google Workspace service that you want to scan with ER2. Google Workspace service Google API OAuth 2.0 Scope All (required) https://www.googleapis.com/auth/admin.directory.user.readonly Google Mail https://mail.google.com/ Google Drive https://www.googleapis.com/auth/drive.readonly Google Tasks https://www.googleapis.com/auth/tasks.readonly Google Calendar https://www.googleapis.com/auth/calendar.readonly https://www.googleapis.com/auth/admin.directory.user.readonly, https://mail.google.com/, https://www.googleapis.com/auth/drive.readonly
- Click Authorize.
Set Up and Scan a Google Workspace Target
- Configure Google Workspace Account.
- From the New Scan page, Add Targets.
- In the Select Target Type dialog box, click on Google Workspace and
select one of the following Google Workspace products:
    - Google Drive
- Google Tasks
- Google Calendar
- Google Mail
 To add and scan Shared drives, select Google Drive.
- 
    Fill in the following fields: 
  Field Description Google Workspace Domain Enter the Google Workspace domain you want to scan. If your Google Workspace administrator email is admin@example.com, your Google Workspace domain is example.com.For more information on how to scan specific mailboxes, accounts, or Shared drive files and folders, see Edit Google Workspace Target Path. New Credential Label Enter a descriptive label for the Google Workspace credential set. New Username Enter your Google Workspace administrator account email address. Example: admin@example.com Use the same administrator account used to Enable APIs and Set up Domain-Wide Delegation.New Password Enter your Google Workspace service account email address. Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com See Create a Service Account - Step 10 for more information. Private Key Upload the private key (*.p12) associated with the Google Workspace service account. See Create a Service Account - Step 13 for more information. Agent to act as a proxy host Select a Proxy Agent host with direct Internet access. 
- Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
- 
    (Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan. 
- Click Next.
- On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
- 
    On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information. 
- Click Next.
- On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.
Edit Google Workspace Target Path
- Set Up and Scan a Google Workspace Target.
- In the Select Locations section, select the Google Workspace Target location and click Edit.
- 
    In the Edit Google Workspace Location dialog box, enter a (case sensitive) Path to scan. Use the following syntax: Path Syntax User account <user_name> Folder in user account <user_name/folder_name> Shared drives Shared Drives/<shared_drive_name> Folder or subfolder in Shared drives Shared Drives/<shared_drive_name>/<folder_name> or Shared Drives/<shared_drive_name>/<folder_name>/<subfolder_name> File in folder or subfolder of Shared drives Shared Drives/<shared_drive_name>/<folder_name>/<file_name> or Shared Drives/<shared_drive_name>/<folder_name>/<subfolder_name><file_name> To scan the user mailbox at user_name@example.com, enter user_name. To scan the "Inbox" folder in the user mailbox user_name@example.com, enter user_name/inbox; to scan the "Sent Mail" folder, enter user_name/sent.
- Click Test and then Commit to save the path to the Target location.