Google Apps
Authentication & Authorization
DataGrail Google Apps uses the Reports RESTful API to access information about the Google Workspace activities of your users.
Credentials
-
Google Apps connects via OAuth 2.0.
- DataGrail owns a Google OAuth Application that provides the credentials to authenticate customers allowing the integration to connect by simply logging into their Google Workspace with their admin credentials and accepting to install the app.
Scopes
Google Report API requires specific scopes that need to be approved by you in order to grant DataGrail read on certain objects necessary to complete system detection:
-
https://www.googleapis.com/auth/admin.directory.user.readonly
-
https://www.googleapis.com/auth/admin.directory.user.alias.readonly
-
https://www.googleapis.com/auth/admin.reports.audit.readonly
Additionally to required OAuth 2.0 authorization parameters, DataGrail defines the next optional parameters:
-
access_type: “offline” – indicates that the DataGrail application can refresh access tokens when the user is not present at the browser.
-
prompt: “select_account consent”:
-
Prompt the user for consent.
-
Prompt the user to select an account.
-
Endpoints Utilized
-
Request authorization:
-
Get and refresh access token:
-
Verify connection and access to the requested scopes:
Version
Google Apps integration currently supports Reports RESTful API version 1 (v1).
Limits
The API limits the number of requests for your APIs Console project. The API project's maximum number of requests per second (project QPS) is 5 QPS. And, the maximum number of requests per day (project QPD) is 150,000 QPD across the account.
DataGrail’s integration uses throttling to prevent rate limit being exceeded.
System Detection
DataGrail provides continuous system detection, delivering a real-time inventory of your data assets. For an system detection requests, DataGrail will take the following actions:
-
Retrieve all authorization token “authorize” events for a domain. After the first connection, DataGrail fetches the last 3 months events. Then it fetches fresh events starting from the last processed event.
- Parse events to detect details of the new third party websites and applications your users have granted access for.
Endpoints Utilized
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.