Configure Gmail for Next Generation API Data Protection

To configure Gmail for the Next Generation API Data Protection, follow the instructions below.

Before you configure Gmail on the Next Generation API Data Protection platform, take a note of the following important points.

• If you are currently using the classic version of the Gmail app, the app will be migrated to the Next Generation platform. The migration process has already kick started as part of release 109. This transition will occur seamlessly, and we anticipate its completion within the coming weeks. Once migrated, you will no longer see the Gmail app under
  Configure App Access > Classic > SaaS. However,

  • the Gmail app will be available under Configure App Access > Next Gen > CASB API.

  • classic policies will be automatically migrated to Next Generation API Data Protection and will be available under Policies > API Data Protection > SAAS > Next Gen.

  • the Gmail dashboard page will be available under API-enabled Protection > SAAS (Next Gen) > Dashboard.

  • In addition, you can view the Inventory page under API-enabled Protection > SAAS (Next Gen) > Inventory.

• If you currently do not use the classic version of the Gmail app, you can configure the Gmail app under Configure App Access > Next Gen > CASB API.

Prerequisite

Before configuring Gmail for the Next Generation API Data Protection, review the prerequisites.

• A Google Workspace with Business Standard or Business Plus edition license.

• A Google super admin account to create a custom role and user for Netskope integration.

• If you have guest or external users in your SaaS environment belonging to domains considered internal, you must set the appropriate internal domains for Netskope to classify exposure accurately. To set up internal domains, follow this article.

Create and Assign Custom Role for Netskope

If you do not plan to use the Google super admin account, you can create a custom role and assign the role to a user to grant access to Next Generation API Data Protection. You can grant privileges / scopes using the default Google super admin role or by creating a custom role exclusively for the Netskope integration. This section describes the steps to create a custom role for Netskope.

1. Log in to admin.google.com as a super admin.

2. Click the triple bar on the top-left corner of the home page and navigate to Account > Admin roles.

3. Click Create new role.

4. Enter a name and description for the role and click CONTINUE.

5. Select privilege for the role:

   Netskope does not recommend removing the following privileges. Any removal may
   result in failure of API calls and policy processing.

   • Admin console privileges:

     The admin console privileges are automatically assigned when a new role is created in Google Workspace. The level of access provided to this role in the admin console depends on what permissions are provided for this role. Here is a list of privileges Netskope requires:

     Privileges	Needed for
     Domain Settings	This privilege is required to list the domains under the Google workspace. Netskope use the domains list to determine whether a user is internal or external.

   • Admin API privileges:

     The admin API privileges are required to make any API calls.

     Privileges	Needed for
     Domain Management	This privilege is required to list the domains under the Google workspace. Netskope uses the domains list to determine if a user is internal or external.
     Groups > Read	This privilege is required to get group information.
     Users > Read	This privilege is required to get user information.

6. Click CONTINUE, and then click CREATE ROLE.

Once you have created the custom role, you can assign the role to a user. To assign the role to account, navigate to Directory > Users, click the user account, navigate to Admin roles and privileges, and assign the role you created above. The user can then authorize Netskope to grant access to your Gmail instance.

Grant Scopes to the Netskope Service Account

This section describes the steps required to register the Netskope web application and API client with Google to enable access to data in Gmail.

1. Log in to admin.google.com as a super admin.

2. Navigate to Security > Access and data control > API controls.

3. On the API controls page, under Domain wide delegation, click Manage Domain Wide Delegation.

4. Click Add new.

   A new pop-up window opens.

5. For Client ID, enter 104758972154652632520.

6. For OAuth scopes, enter the following scopes:

   Enter one scope per line.

   • https://www.googleapis.com/auth/admin.directory.user.readonly

   • https://www.googleapis.com/auth/admin.directory.domain.readonly

   • https://www.googleapis.com/auth/gmail.readonly

   • https://www.googleapis.com/auth/admin.directory.group.member.readonly

   • https://www.googleapis.com/auth/admin.directory.group.readonly

7. Click Authorize.

8. Verify the steps above by checking if the Netskope for Google app appears in the API clients list.

Configure Gmail Instance in Netskope UI

To authorize Netskope to access your Gmail instance, follow the steps below:

1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.

2. Under Apps, select Gmail and click Setup CASB API Instance.

   The Setup Instance window opens.

3. Under API Admin Email, enter the Google account email of the super admin or a user with a custom role (see Create and Assign Custom Role for Netskope).

4. Under Administrator Email, enter the email address of the user who will receive an email notification when a policy violation or event triggers. This step is optional.

5. Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

6. Click Grant Access. You will be prompted to log in using a super admin or a user with a custom role and password, and then click Sign In. When the configuration results page opens, click Close.

Refresh your browser and you will see a green check icon next to the instance name.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Create a Next Generation API Data Protection Policy.