In this article, we'll walk you through how to add Google Drive and Gmail as Cloud Content Sources in your Secure & Govern tenant.

Scanning Google Drive covers all content in user and team drives and provides some remediation options for unpermitted sensitive content.

Scanning Gmail covers content in emails and attachments sent to, from, and between mailboxes within your Google Workspace instance. Many regulatory compliance policies apply to email. Furthermore, email is a common medium through which sensitive information is shared and Egnyte can discover the most sensitive discussions happening over email.

Note that the steps for connecting Google Drive and Gmail are almost identical with the exception of the step where domain-wide delegation is configured where a different set of Oauth scopes are required. You can use the same service account for both Gmail and Google Drive - simply ensure you add both sets of Oauth scopes when configuring domain-wide delegation. If you have already set up one source, you can use the same service account with the other source by extending the list of API scopes available to the service account with the required additional scopes.

Prerequisites for setting up Google Drive and/or Gmail

  • GSuite domain with super-admin privileges

Overview

Configure service account

mceclip1.png

  • Go to service accounts management screen IAM & Admin -> Service Accounts. It should display the list of already configured service accounts.
  • Create new service account and proceed with the creation wizard

mceclip2.png

  • Choose a name and description for the service account. Select the defaults on the subsequent screens.

mceclip3.png

------

mceclip4.png

------

mceclip5.png

  • Create a private key for the service account. The key will have to be exported to P12 format and downloaded to the local hard drive.

mceclip7.png

------

mceclip8.png

------

mceclip9.png

  • Enable domain-wide delegation for the service account (switch to Edit mode first at the top of the page)

mceclip11.png

  • Record the service account client id and email in the details view in service accounts list

mceclip12.png

  • Click "Save"

mceclip13.png

Enable the APIs in Google Cloud Console

  • Go to APIs & Services -> Dashboard to view the summary of currently used APIs
  • For Google Drive Classification, ensure that the Google Drive API and Admin SDK are visible and enabled in the list (if not, choose the option to enable them). For Gmail Classification, ensure that the Gmail API and Admin SDK are visible and enabled (if not, choose the option to enable them).

mceclip14.png

------

mceclip15.png

------

mceclip16.png

------

2021-12-08_16-22-25.png

Configure domain-wide delegation

  • Go to GSuite Admin console https://admin.google.com
  • Log in as a user with Super Admin role
  • (optional) Create a dedicated user for the purpose of Egnyte connection. Alternatively you can use the user account with which you logged in.

mceclip18.png

  • Ensure that the user has Super Admin role. If not assign the required role.

mceclip19.png

------

mceclip21.png

  • Go to Dashboard -> Security -> API Permissions

mceclip22.png

  • Navigate to Domain-Wide delegation configuration

mceclip23.png

  • Add new API client corresponding to the service account created in the previous steps

mceclip24.png

mceclip25.png

  • As a result the client should be visible on the list:

mceclip26.png

Add the Google Drive or Gmail content source in Egnyte

  • In Protect Admin Panel go to Settings -> Content Sources -> Add Cloud Source and select Google Drive or Gmail depending on which source you're adding
  • Enter the source configuration. Service account email is the email of the service account configured in the previous steps. It can be obtained by clicking on View Client ID in service accounts list in Google Cloud console.
  • Service account user is the GSuite user who has the Super Admin role. It is either the user account by which the GSuite domain is managed or a dedicated account for Egnyte connection.
  • File with private key is the private key generated for the service account and saved to the local drive. It has to be saved in P12 format.

mceclip27.png

  • Allow the connector to communicate with Secure and Govern

mceclip28.png

  • When the process is complete you should see the confirmation of successful connection of the source

mceclip29.png