Google Workspace Integration with WatchGuard CloudDR

Applies To: WatchGuard CloudDR

Google Workspace (previously named G Suite) is a cloud-based productivity and collaboration suite designed for businesses, educational institutions, and organizations. Google Workspace bundles popular tools such as Gmail, Docs, Drive, Calendar, Meet, and Chat into a subscription service, and features custom email domains, enhanced security, and centralized administration. This guide describes how to integrate Google Workspace with CloudDR.

Available Features

  • Misconfiguration Rules
  • Identity Rules
  • Discovered Application Rules
  • User Inventory
  • Devices Inventory
  • Discovered Application Inventory

Prerequisites

To configure this integration, you must have:

  • A Google Workspace Business Starter subscription or higher.
  • A user account within the Google Workspace instance with the required privileges, or a Super Admin account.

Required Privileges

To configure this integration, you must have these privileges assigned to the user.

Scope Use
https://www.googleapis.com/auth/userinfo.email View your primary Google Account email address
https://www.googleapis.com/auth/userinfo.profile View your personal information, including any personal info you have made publicly available
https://www.googleapis.com/auth/directory.readonly View the Google Workspace directory of your organization
https://www.googleapis.com/auth/admin.directory.user.readonly View information about users on your domain
https://www.googleapis.com/auth/admin.directory.user.security Read permissions for users on your domain
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly View delegated admin roles for your domain
https://www.googleapis.com/auth/admin.directory.group.readonly View groups on your domain
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly View metadata of your mobile devices
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly View metadata of your ChromeOS devices
https://www.googleapis.com/auth/admin.directory.domain.readonly View domains related to your customers
https://apps-apis.google.com/a/feeds/domain/ View Google Single Sign On information
https://www.googleapis.com/auth/apps.groups.settings View the settings of a Google Workspace group
https://www.googleapis.com/auth/admin.reports.audit.readonly View audit reports for your Google Workspace domain

Integration Scopes

These scopes are required if a custom role is used for the integration:

Scope Use
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly Read mobile devices
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly Read ChromeOS devices
https://www.googleapis.com/auth/admin.directory.domain.readonly Read organization domains
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly Read roles
https://www.googleapis.com/auth/admin.directory.user.security Read user OAuth tokens

(Optional) Misconfiguration Scopes

To provide finer misconfiguration insights on an organizational unit level, add these optional misconfiguration scopes:

Scope Use
https://www.googleapis.com/auth/cloud-identity.policies.readonly Read configurations
https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly Read Single Sign On Information
https://www.googleapis.com/auth/admin.directory.orgunit.readonly Read organization units
https://www.googleapis.com/auth/apps.licensing Read user license details

To create a custom role with the required privileges:

  1. Log in to the Google Admin console.
  2. Select The Google Menu icon Account > Admin roles.
  3. Click Create new role.
  4. In the Name text box, enter a name.
  5. (Optional) In the Description text box, enter a description that describes the purpose of the role.
  6. From the Privilege Name list, select the check box next to these privileges:
    • Reports
    • User Security Management
    • Organization Units > Read
    • Users > Read
    • Services > Groups for Business > Groups Service Settings
  7. Click Continue.
  8. Review the privileges. Click Create Role.

To assign the custom role:

  1. Select The Google Menu icon Directory > Users.
  2. Click the name of the user to open the user account details.
  3. Expand the Admin roles and privileges section.
  4. Next to the custom role, enable Assigned.
  5. Click Save.

Configure the Google Workspace Integration in CloudDR

To integrate Google Workspace with CloudDR:

  1. In WatchGuard Cloud, select Configure > CloudDR.
  2. Select the Integrations tab.
  3. (Service Providers) From the Select Integrations View drop-down list, select Add Integrations.

  1. In the Google Workspace widget, click Add.
  2. Click Start Integration.
  3. On the OAuth page, click Sign in with Google to log in to your Google Admin account.
  4. Click Next.
  5. (Optional) On the Additional Features page, you can configure domain-wide delegation to enable additional features. For more information, go to (Optional) Configure Domain-Wide Delegation.
  6. Click Finish.

Enable Additional Feature Access

To enable access to user data without their explicit consent, add scopes in Domain-Wide Delegation.

(Optional) Configure Domain-Wide Delegation

To configure domain-wide delegation:

  1. In the Google Admin console, go to Security > Access and data control > API controls.
  2. In the Domain wide delegation section, click Manage domain wide delegation.

Screenshot of the API controls page in the Google Admin console, Domain-wide delegation section

  1. Click Add new.

Screenshot of the Add a new client ID dialog box

  1. In the Add a new Client ID text box, paste 101707398122463816262 as the Client_ID.
  2. In the OAuth scopes (comma-delimited) section, paste these scopes:
    • https://www.googleapis.com/auth/admin.directory.device.mobile.readonly — Read Mobile Devices
    • https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly — Read ChromeOS Devices
    • https://www.googleapis.com/auth/admin.directory.domain.readonly — Read Organization Domains
    • https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly — Read Roles
    • https://www.googleapis.com/auth/admin.directory.user.security — Read User OAuth Tokens
  3. Click Authorize.

Discovered Applications

When a user grants CloudDR access to read organizational email metadata, the platform scans the metadata across the entire organization to detect and identify cloud application usage (known as Shadow IT). CloudDR only accesses email metadata to retain security of the email content.

This process provides visibility into discovered third-party applications used within the organization and helps IT and security teams authorize and manage potential risks and take corrective action.

Scope Use
https://www.googleapis.com/auth/gmail.metadata Read user email metadata
https://www.googleapis.com/auth/admin.directory.user.readonly Read directory users

Shared Data

This is essential to identify user activity and threats related to data transfers.

Scope Use
https://www.googleapis.com/auth/drive.readonly Read drive file metadata
https://www.googleapis.com/auth/drive Modify file sharing
https://www.googleapis.com/auth/drive.activity.readonly Read drive file sharing changes

Related Topics

About WatchGuard CloudDR Integrations