Configure Google Calendar for the Next Generation API Data Protection

To configure Google Calendar for the Next Generation API Data Protection, follow the instructions below.

Prerequisite

Before configuring Google Calendar for the Next Generation API Data Protection, review the prerequisites.

A Google Workspace with Business Standard, Business Plus, or Enterprise edition licenses.
Ensure that the Google Calendar is available across all organizational units of your google account. To check, log in to admin.google.com using your Google super admin account and then navigate to Apps > Google Workspace > Calendar and ensure that the Service status is set to ON for everyone.
A Google super admin account to create a custom role and user for Netskope integration.
If you have guest or external users in your SaaS environment belonging to domains considered internal, you must set the appropriate internal domains for Netskope to classify exposure accurately. To set up internal domains, follow this article.

Create and Assign Custom Role for Netskope

If you do not plan to use the Google super admin account, you can create a custom role and assign the role to a user to grant access to Next Generation API Data Protection. You can grant privileges / scopes using the default Google super admin role or by creating a custom role exclusively for the Netskope integration. This section describes the steps to create a custom role for Netskope.

Log in to admin.google.com as a super admin.
Click the triple bar on the top-left corner of the home page and navigate to Account > Admin roles.
Click Create new role.
Enter a name and description for the role and click CONTINUE.

Select privilege for the role:

Netskope does not recommend removing the following privileges. Any removal may result in failure of API calls and policy processing.

Admin console privileges:

The admin console privileges are automatically assigned when a new role is created in Google Workspace. The level of access provided to this role in the admin console depends on what permissions are provided for this role. Here is a list of privileges Netskope requires:

Privileges	Needed for
Domain Settings	This privilege is required to list the domains under the Google workspace. Netskope use the domains list to determine whether a user is internal or external.
Reports	This privilege is required for polling changes.

Admin API privileges:

Privileges	Needed for
Domain Management	This privilege is required to list the domains under the Google workspace. Netskope uses the domains list to determine if a user is internal or external.
Groups > Read	This privilege is required to get group information.
Users > Read	This privilege is required to get user information.

Click CONTINUE, and then click CREATE ROLE.

Once you have created the custom role, you can assign the role to a user. To assign the role to account, navigate to Directory > Users, click the user account, navigate to Admin roles and privileges, and assign the role you created above. The user can then authorize Netskope to grant access to your Google Calendar instance.

Grant Scopes to the Netskope Service Account

This section describes the steps required to register the Netskope web application and API client with Google to enable access to data in Google Calendar.

Log in to admin.google.com as a super admin.
Navigate to Security > Access and data control > API controls.
On the API controls page, under Domain wide delegation, click Manage Domain Wide Delegation.
Click Add new.

A new pop-up window opens.
For Client ID, enter 114562088162043161373.

If you are connecting a US FedRAMP account, enter 113442366299881445312 as the client ID.
For OAuth scopes, enter the following scopes:

Enter one scope per line.
- https://www.googleapis.com/auth/userinfo.email
- https://www.googleapis.com/auth/userinfo.profile
- https://www.googleapis.com/auth/admin.reports.audit.readonly
- https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/admin.directory.domain.readonly
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.group.member.readonly
- https://www.googleapis.com/auth/calendar
- https://www.googleapis.com/auth/drive.readonly
Click Authorize.
Verify the steps above by checking if the Netskope for Google app appears in the API clients list.

Configure Google Calendar Instance in Netskope UI

To authorize Netskope to access your Google Drive instance, follow the steps below:

Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.
Under Apps, select Google Calendar and click Setup CASB API Instance.

The Setup Instance window opens.
Under API Admin Email, enter the Google account email of the super admin or a user with a custom role (see Create and Assign Custom Role for Netskope).
Under Administrator Email, enter the email address of the user who will receive an email notification when a policy violation or event triggers. This step is optional.
Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
Click Grant Access. You will be prompted to log in using a super admin or a user with a custom role and password, and then click Sign In. When the configuration results page opens, click Close.

Refresh your browser and you will see a green check icon next to the instance name.

Next, you can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Google Drive account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.

You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.

Configure Google Calendar for the Next Generation API Data Protection