Permissions required for the Google Drive connector

Updated

Overview

When you connect Incydr to Google Drive, you grant Incydr certain permissions in your Google Drive environment. This article lists the permissions Incydr requires as well as what those permissions allow Incydr to do in your Google Drive environment.

Google Drive permissions

Permissions your Google Workspace administrator needs

Incydr uses API client access to connect to and monitor file activity in your Google environment. In order to grant third-party services or applications domain-wide delegation or manage API client access in the Google Admin console, you must be a Google Workspace administrator that has the Super Admin role. Incydr cannot collect data from your Google environment unless the connection is authorized by a Google Workspace administrator with the Super Admin role.

Optionally, you can remove the Super Admin role an hour after the connection was authorized. (If you ever need to reauthorize the connection, you will need to re-add the Super Admin role to the user making the connection.)

For more information, see Resolve Google Drive security data errors.

Permissions the Incydr service account needs

As a service account, Incydr uses delegated domain-wide authority to collect file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Incydr requires access to your Google Drive environment.

In the configuration steps when you connect Incydr to Google Drive, Incydr provides the following scopes for you to enter in your Google Admin console:

https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.customer.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/cloud-identity.groups
https://www.googleapis.com/auth/admin.directory.group

This set of permissions gives Incydr the access to user information, file metadata, and drives needed to monitor file activity, as well as the ability to block cloud shares with Incydr's preventative controls. This set includes manage and write permissions required for the Incydr data connection. However, Incydr is committed to data integrity and does not:

  • Write to or modify content in your cloud storage environment
  • Monitor the contents of files in cloud storage
  • Back up files in cloud storage

Configuring these scopes in the Google Admin console gives the Incydr API client delegated domain-wide authority to your Google Drive environment, and follows Google's recommendation for allowing service accounts to read content from user drives. Because of this authority, audit logs of your Google Workspace environment may show the Incydr Cloud Service account impersonating the owner of each user drive in order to read its contents.

The Incydr data connection uses the /auth/drive scope to allow security analysts to:

More information on file activity
For more information on the specific metadata and file events visible in Forensic Search, see the File event metadata reference.

Detailed permission descriptions

See below for the specific reasons Incydr requires each https://www.googleapis.com/auth/ permission listed above:

  • drive.readonly: Required to request additional file metadata, stream a file for hashing, and to determine a file’s category when analyzing file activity.
  • drive: Required to grant temporary access to view a file and to view and manage sharing permissions.
  • admin.directory.customer.readonly: Required to verify your Google Workspace information during authorization.
  • admin.directory.domain.readonly: Required to identify the primary and all alias domains for the Google Workspace, specifically to determine which user drives to monitor based on scoping.
  • admin.directory.group.readonly: Required to read group information and determine group membership. This is necessary when the Incydr Cloud Service is scoped to “groups”.
  • admin.directory.group: Required for preventative controls. Incydr creates and manages a group named Incydr Prevention Controls (Managed by Code42). Users on a watchlist with Block cloud sharing enabled are added to this group.
  • admin.directory.user.readonly: Required to read information about a user. Specifically, if the user has a Google Drive and the UID associated with their Google Drive.
  • admin.reports.usage.readonly: Required to collect Google audit events for a specific user.
  • admin.reports.audit.readonly: Required to collect specific information such as create, modify, delete, and share activity from Google audit events.
  • cloud-identity.groups: Required for preventative controls to read and manage all types of Google groups and associate email aliases from IAM to users.

External resources

Google documentation

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.