Google Suite Connector Setup Guide

Overview

Reveal Hold supports integration with G Suite for in-place preservation and data collection. This document describes the prerequisites for integrating Reveal Hold with G Suite.

Information Required for Integration

Reveal Hold G Suite connectors integrate with G Suite through APIs and require a service account.

Create a Service Account

Follow the below steps to provide create a service account with required role permissions:

1. Navigate to https://console.developers.google.com/ with a user having Admin privileges.

Figure: Dashboard - APIs and Services

2. Click on dropdown next to Quickstart as shown below to create a project and click on New project.

Figure: Quickstart

3. Enter the Project name as Reveal Hold-Project and select the Location.

Figure: New Project

4. Click on Create to create the project.

5. Once the project is successfully created, select Credentials from the left menu.

6. Click on Create Credentials and select Service account.

   Figure: Create Credentials

7. Enter the service account name and click on Create and Continue.

Figure: Create Service Account

8. Select the role as Service Account User and click on Done.

Figure: Select Role

Figure: Grant Users Access to Service Account

9. Select the service account created and click on Edit.

10. Note down UniqueID value and click on Enable Google Workspace Domain-wide Delegation. Click on Save.

Figure: Enable Google Workspace Domain-wide Delegation

11. Select Keys, click on Add Key, and select Create New Key.

Figure: Create New Key Option

12. Select P12 and click on Create. Download the P12 file.

Figure: Create New Key

The created key will display on the page with the date of creation and expiration.

Figure: Created Key Displayed

13. Navigate to Admin Console https://admin.google.com/verticaldiscovery.us/AdminHome?hl=en$&pli=1&fral=1 with the admin service account credentials and click on Security.

Figure: Admin Console

14. Select API controls from the Security page.

Figure: API Controls

15. Tick the checkbox for Trust internal, domain-owned apps and click on Manage Domain Wide Delegation.

Figure: Select Internal Domain-owned Apps

16. Select Add new from the Domain wide Delegation page. An Add a new client ID popup appears.

Figure: Add New Client ID Modal

17. Enter the below values and click on Authorize.

• Client ID: Enter value of the UniqueID

• One or more API Scopes: https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/devstorage.full_control,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/ediscovery

Figure: Add OAuth Scope

18. The authorized API client is displayed on the screen.

Figure: Authorized API Clients

Enable APIs for Project

To enable APIs for the project,

1. Login to https://console.cloud.google.com/ and select the project.

2. Click on the APIs & Services option as shown in the below image.

Figure: APIs & Services

3. Click on +Enable APIs And Services option seen on top of the page and add highlighted APIs from the below image that need to be enabled:

• G Suite Vault API

• Admin SDK

• Cloud Storage

• Google Cloud Storage JSON API

Figure: Enable APIs and Services

4. After clicking on +Enable APIS and Services, the page is redirected to the Search APIs page in which the user can search the required API name and enable it.

Figure: API Library Page

For example, if the user needs to enable G Suite Vault API, search with API name and select it. The user will get an enable option. Click on it and the required API gets enabled.

Figure: G Suite Vault API Example

Assign Role to User Account

Reveal Hold requires a user account with an eDiscovery Admin role for configuration.

1. Login to https:/admin.google.com and click on Users.

Figure: Users

2. Create a new user or select the existing user (this needs to be configured in Reveal Hold G Suite configuration) for whom the role needs to be configured.

3. Select the user and click on the Admin roles and privileges section.

Figure: Admin Roles and Privileges

4. Assign the eDiscovery Admin role to the selected user.
   

Figure: Assign Role

Following are the EDiscovery Admin role privileges:

Admin Console Privileges

Organization Units

• Read

Users

• Read

Services - Google Vault

• Manage Matters

• Manage Holds

• Manage Searches

• Manage Exports

• Manage Retention Policies

  • View Retention Policies

• Manage Audits

• View All Matters

Admin API Privileges

Organization Units

• Read

Users

• Read

Figure: Admin Console Privileges