Configure Google Workspace for SaaS Security Posture Management
Configure Google Workspace for SaaS Security Posture Management
To configure Google Workspace for SaaS Security Posture Management, follow the instructions below.
Prerequisite
Before configuring Google Workspace for SaaS Security Posture Management, review the prerequisites:
- A Google Workspace with any Business edition license.
- A Google super admin account for Netskope integration
Netskope requires the super admin role to fetch the token resources which support OAuth 2.0 token-based use cases like rules related to OAuth tokens, etc.
Grant Scopes to the Netskope Service Account
This section describes the steps required to register the Netskope web application and API client with Google to enable access to data in Google Workspace.
- Log in to admin.google.com as a super admin.
- Navigate to Security > Access and data control > API controls.
- On the API controls page, under Domain wide delegation, click Manage Domain Wide Delegation.
- Click Add new.
A new pop-up window opens. - For Client ID, enter
115103394993879524295. - For OAuth scopes, enter the following scopes:
OAuth Scope Needed for... https://www.googleapis.com/auth/admin.directory.user.readonlyList all users in the Google Workspace account. https://www.googleapis.com/auth/admin.directory.rolemanagement.readonlyList all privileges, role and role assignments. https://www.googleapis.com/auth/admin.directory.orgunit.readonlyList of all organizational units in the Google Workspace account. https://www.googleapis.com/auth/admin.directory.customer.readonlyGet the customer details in the Google Workspace account. https://www.googleapis.com/auth/admin.directory.user.securityList a set of token metadata issued by the user to 3rd party applications. https://www.googleapis.com/auth/admin.directory.group.readonlyList all groups in the Google Workspace account. https://www.googleapis.com/auth/admin.reports.audit.readonlyRetrieve changes to various resources in the Google Workspace account. https://www.googleapis.com/auth/admin.directory.device.mobile.readonlyList of all user-owned mobile devices in the Google Workspace account. https://www.googleapis.com/auth/admin.directory.domain.readonlyLists domains of the customer. https://www.googleapis.com/auth/admin.directory.device.chromeos.readonlyList of Chrome OS devices within the Google Workspace account. https://www.googleapis.com/auth/admin.directory.userschema.readonlyList all schemas for a customer. https://www.googleapis.com/auth/admin.directory.resource.calendar.readonlyList all calendar resources. - Click Authorize.
- Verify the steps above by checking if the Netskope for Google app appears in the API clients list.
Configure Google Workspace Instance in Netskope UI
To authorize Netskope to access your Google Workspace instance, follow the steps below:
- Log in to the Netskope tenant UI:
https://<tenant hostname>.goskope.comand go to Settings > Configure App Access > Next Gen > Security Posture. - Under Apps, select Google Workspace and click Setup Security Posture Instance. The Setup Instance window opens.
- Under API Admin Email, enter the Google account email of the super admin.
- Under Google Workspace administrator email, enter the email address of the user who will receive the findings related to security posture. This can be added when creating security posture policies.
- From the Security Scan Interval drop-down list, select the required scan interval. This is the interval at which Netskope runs the policy periodically.
- Click Grant Access. You will be prompted to log in using a super admin or any user (belonging to the same Google Workspace domain), and then click Sign In. When the configuration results page opens, click Close.
Refresh your browser and you will see a green check icon next to the instance name.
Next, you should configure a security posture policy. To do so, see SaaS Security Posture Management Policy Wizard.
