This document provides prerequisites and Expel Workbench on-boarding steps for Google Workspace.
Items to be produced |
Description |
---|---|
Admin Username |
The admin username used to generate the service account. Only Admin accounts can access the Admin SDK reports API, so we need to impersonate the admin user through our service account. |
Service Credentials JSON File |
The credential file generated for the service account. |
API Scopes |
The permissions granted to the service account. This must be exactly what was provisioned in Google Workspace. |
Quick Links
Step 1: Provision Expel Service Account in Google Workspace
-
Go to the Google Developers Console and sign in as a super administrator.
-
Under IAM & Admin, click Manage Resources.
-
Click Create Project.
-
Type project details and click Create.
For this field
Type this
Project name
Can be anything you want but we recommend "ExpelAPI".
Organization
The name of your organization.
Location
Typically the name of your organization. You can put it wherever makes the most sense, however.
-
Each project uses its own set of APIs. For Expel to communicate with Google Workspace APIs, we need to enable the Admin SDK for the newly created project. Navigate to the newly created project.
-
Search for Admin SDK and open.
-
Enable the Admin SDK for the new project.
-
Create a Service Account for Expel Access. Navigate to Menu > IAM & admin > Service accounts.
-
Click Create Service Account.
-
Fill in the service account details.
For this field
Type this
Service account name
Can be anything but we recommend "ExpelAPI".
Service account ID
Can be anything but we recommend "ExpelAPI".
Service account description
Can be anything but we recommend "ExpelAPI".
-
In the IAM & Admin section, click Service Accounts. For the service account that relates to this integration, click the Actions button and then Manage keys. In the Add Key section, click Create new key. Select JSON and click Create. After you click Create, a JSON file is downloaded.
Note
Keep this file in a safe place! It contains the credentials for this service account. -
Enable domain-wide delegation for the service account.
-
Back on the Service Accounts screen, click Actions and then click Manage Details.
-
Select Enable Google Workspace Domain-wide Delegation under the Details section.
-
-
After the service account is created, in the Details area, copy Unique ID.
-
Grant the service account the required API permission scope.
-
Open the Google Workspace admin console. https://admin.google.com/ac/owl/domainwidedelegation
-
Navigate to Security > API Controls > Manage Domain Wide Delegation.
-
Click Add New.
-
Client Name: The Client ID that we saved from our Service Account in the earlier step.
-
API Scopes: You can copy and paste all, which are comma-delimited or add the scopes for retrieving organizational units individually.
https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, https://www.googleapis.com/auth/admin.directory.orgunit.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly
-
-
Step 2: Configure Google Workspace in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.
Note
Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
In a new browser tab, log in to https://workbench.expel.io.
-
On the console page, navigate to Settings and click Security Devices.
-
At the top right of the page, click Add Security Device.
-
Search for and select Google Workspace.
-
Fill in the following information.
-
Select Expel Cloud Service for SIEM.
-
Type device Name and Location.
-
For Admin username, type the email address of the Super Administrator that created the service account in Step 1.
-
For Service Credentials JSON, type the contents of the JSON file for the service account generated in Step 1.
-
For API scopes, type the API Scopes from Step 1.
-