Configure Google Drive for the Next Generation API Data Protection
Important
* Google Drive app is now available on the Next Generation API Data Protection platform. Please note the following important points:
If you currently use the classic version of the Google Drive app, no action required. You should continue to use the classic version that you use today. Netskope will notify you via a banner message on the Netskope tenant UI when you can switch over to the Next Generation apps.
If you currently do not use the classic version of the Google Drive app, Netskope will make the app available to you in phases. To check if the app is available on your Netskope tenant, follow the instruction below:
Log in to your Netskope tenant and navigate to Settings > API-enabled Protection > SaaS > Next Gen.
If you see the Google Drive app listed, you are eligible to configure the app on the Next Generation API Data Protection platform.
If you do not see the app, stay tuned, the app will be made available in due course. In the meanwhile, you can continue to set up the app available under Settings > API-enabled Protection > SaaS > Classic.
To configure Google Drive for the Next Generation API Data Protection, follow the instructions below.
Prerequisite
Before configuring Google Drive for the Next Generation API Data Protection, review the prerequisites.
A Google Workspace with Business Standard or Business Plus edition license.
A Google super admin account to create a custom role and user for Netskope integration.
Ensure that Google Drive is available across all organizational units of your google account. To check, log in to admin.google.com using your Google super admin account and then navigate to Apps > Google Workspace > Drive and Docs and ensure that Service status is set to ON for everyone.
Create and Assign Custom Role for Netskope
If you do not plan to use the Google super admin account, you can create a custom role and assign the role to a user to grant access to Next Generation API Data Protection. You can grant privileges / scopes using the default Google super admin role or by creating a custom role exclusively for the Netskope integration. This section describes the steps to create a custom role for Netskope.
Log in to admin.google.com as a super admin.
Click the triple bar on the top-left corner of the home page and navigate to Account > Admin roles.
Click Create new role.
Enter a name and description for the role and click CONTINUE.
Select privilege for the role:
Note
Netskope does not recommend removing the following privileges. Any removal may result in failure of API calls and policy processing.
Admin console privileges:
The admin console privileges are automatically assigned when a new role is created in Google Workspace. The level of access provided to this role in the admin console depends on what permissions are provided for this role. Here is a list of privileges Netskope requires:
Privileges
Needed for
Domain Settings
This privilege is required to list the domains under the Google workspace. Netskope uses the domains list to determine if a user is internal or external.
Reports
This privilege is required for polling changes.
Services > Drive and Docs > Settings
(all 5 privileges)
This privilege is to enable the Google drive admin setting.
Admin API privileges:
The admin API privileges are required to make any API calls.
Privileges
Needed for
Domain Management
This privilege is required to list the domains under the Google workspace. Netskope uses the domains list to determine if a user is internal or external.
Groups > Read
This privilege is required to get group information.
Users > Read
This privilege is required to get user information.
Click CONTINUE, and then click CREATE ROLE.
Once you have created the custom role, you can assign the role to a user. To assign the role to account, navigate to Directory > Users, click the user account, navigate to Admin roles and privileges, and assign the role you created above. The user can then authorize Netskope to grant access to your Google Drive instance.
Grant Scopes to the Netskope Service Account
This section describes the steps required to register the Netskope web application and API client with Google to enable access to data in Google Drive.
Log in to admin.google.com as a super admin.
Navigate to Security > Access and data control > API controls.
On the API controls page, under Domain wide delegation, click Manage Domain Wide Delegation.
Click Add new.
A new pop-up opens.
For Client ID, enter
108196482611215472250
.For OAuth scopes, enter the following scopes:
Note
Enter one scope per line.
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/drive
Click Authorize.
Verify the steps above by checking if the Netskope for Google app appears in the API clients list.
Configure Google Drive Instance in Netskope UI
To authorize Netskope to access your Google Drive instance, follow the steps below:
Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and go to Settings > API-enabled Protection > SaaS > Next Gen .
Under Apps, select Google Drive and click Setup Google Drive Instance.
The Setup Instance window opens.
Under API Admin Email, enter the Google account email of the super admin or a user with a custom role (see Create and Assign Custom Role for Netskope.
Click Grant Access. You will be prompted to log in using a super admin or a user with a custom role and password, and then click Sign In. When the configuration results page opens, click Close.
Refresh your browser and you will see a green check icon next to the instance name.
Next, you can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Google Drive account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.
You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.
Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.