Configure Google Drive for the Next Generation API Data Protection

To configure Google Drive for the Next Generation API Data Protection, follow the instructions below.

Prerequisite

Before configuring Google Drive for the Next Generation API Data Protection, review the prerequisites.

• A Google Workspace with Business Standard or Business Plus edition license.

• A Google super admin account to create a custom role and user for Netskope integration.

• Ensure that Google Drive is available across all organizational units of your google account. To check, log in to admin.google.com using your Google super admin account and then navigate to Apps > Google Workspace > Drive and Docs and ensure that Service status is set to ON for everyone.

  

• Ensure that Google Drive SDK is turned on. To check, log in to admin.google.com using your Google super admin account and then navigate to Apps > Google Workspace > Drive and Docs > Features and Applications  and ensure that Drive SDK is turned on.

  

• If you have guest or external users in your SaaS environment belonging to domains considered internal, you must set the appropriate internal domains for Netskope to classify exposure accurately. To set up internal domains, follow this article.

• If you intend to use Google badged labels, make sure the badged labels permission is set to Can view this label or Can apply labels and set values for the organization.

  This is a GA controlled feature. Contact Netskope support or your sales representative to enable this feature.

  To set the permission:

  1. Log in to admin.google.com as a super admin.

  2. On the left navigation bar, expand Apps > Google Workspace, and then click Drive and Docs.

  3. Under Labels, click Manage Labels.

  4. Click an entry under Badged label.

     

  5. On the top-right, click Permissions, and set the permission to either Can view this label or Can apply labels and set values.

     

  6. Click Save.

Create and Assign Custom Role for Netskope

If you do not plan to use the Google super admin account, you can create a custom role and assign the role to a user to grant access to Next Generation API Data Protection. You can grant privileges / scopes using the default Google super admin role or by creating a custom role exclusively for the Netskope integration. This section describes the steps to create a custom role for Netskope.

1. Log in to admin.google.com as a super admin.

2. Click the triple bar on the top-left corner of the home page and navigate to Account > Admin roles.

3. Click Create new role.

4. Enter a name and description for the role and click CONTINUE.

5. Select privilege for the role:

   Netskope does not recommend removing the following privileges. Any removal may result in failure of API calls and policy processing.

   1. Admin console privileges:

      The admin console privileges are automatically assigned when a new role is created in Google Workspace. The level of access provided to this role in the admin console depends on what permissions are provided for this role. Here is a list of privileges Netskope requires:

      Privileges	Needed for
      Domain Settings	This privilege is required to list the domains under the Google workspace. Netskope uses the domains list to determine if a user is internal or external.
      Reports	This privilege is required for polling changes.
      Services > Drive and Docs > Settings (All 5 privileges)	This privilege is to enable the Google drive admin setting.

   2. Admin API privileges:

      The admin API privileges are required to make any API calls.

      Privileges	Needed for
      Domain Management	This privilege is required to list the domains under the Google workspace. Netskope uses the domains list to determine if a user is internal or external.
      Groups > Read	This privilege is required to get group information.
      Users > Read	This privilege is required to get user information.

6. Click CONTINUE, and then click CREATE ROLE.

Once you have created the custom role, you can assign the role to a user. To assign the role to account, navigate to Directory > Users, click the user account, navigate to Admin roles and privileges, and assign the role you created above. The user can then authorize Netskope to grant access to your Google Drive instance.

Grant Scopes to the Netskope Service Account

This section describes the steps required to register the Netskope web application and API client with Google to enable access to data in Google Drive.

1. Log in to admin.google.com as a super admin.

2. Navigate to Security > Access and data control > API controls.

3. On the API controls page, under Domain wide delegation, click Manage Domain Wide Delegation.

4. Click Add new.

   A new pop-up opens.

5. For Client ID, enter 108196482611215472250.

6. For OAuth scopes, enter the following scopes:

   Enter one scope per line.

   • https://www.googleapis.com/auth/userinfo.email

   • https://www.googleapis.com/auth/userinfo.profile

   • https://www.googleapis.com/auth/admin.reports.audit.readonly

   • https://www.googleapis.com/auth/admin.directory.user.readonly

   • https://www.googleapis.com/auth/admin.directory.domain.readonly

   • https://www.googleapis.com/auth/admin.directory.group.readonly

   • https://www.googleapis.com/auth/admin.directory.group.member.readonly

   • https://www.googleapis.com/auth/drive

     Netskope now supports Google badged labels. You should grant additional scopes. They are:

     This is a GA controlled feature. Contact Netskope support or your sales representative to enable this feature.

     • https://www.googleapis.com/auth/drive.labels

     • https://www.googleapis.com/auth/drive.admin.labels

7. Click Authorize.

8. Verify the steps above by checking if the Netskope for Google app appears in the API clients list.

Configure Google Drive Instance in Netskope UI

To authorize Netskope to access your Google Drive instance, follow the steps below:

1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.

2. Under Apps, select Google Drive and click Setup CASB API Instance.

   The Setup Instance window opens.

3. Under API Admin Email, enter the Google account email of the super admin or a user with a custom role (see Create and Assign Custom Role for Netskope.

4. Under Administrator Email, enter the email address of the user who will receive an email notification when a policy violation or event triggers. This step is optional.

5. Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

6. Click Grant Access. You will be prompted to log in using a super admin or a user with a custom role and password, and then click Sign In. When the configuration results page opens, click Close.

Refresh your browser and you will see a green check icon next to the instance name.

Next, you can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Google Drive account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.

You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.