Google Workspace

Set up Google Workspace for automated tests with TrustCloud

Purpose

Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack, and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your Google Workspace account and Google Workspace users, so that TrustOps can validate and generate evidence for your compliance program.

If you have previously set up your TrustOps to work with GCP, skip to the section titled: “Instructions to add Google Workspace access to your GCP Delegated Account“

Instructions to grant TrustCloud limited access to Google Workspace metadata

1. Create a new user service account in your Google Workspace.

This service account will be the base account from which access is delegated to TrustCloud. TrustCloud will not have the login / password credentials to this account, and will not be able to log in to your Google Workspace console with this account.

• Login to [admin.google.com](https://admin.google.com/) in your Google Workspace. Click on Users and Add new user. Now, add a new user. Once the user is created,
  • Click on the user
  • Under Admin roles and privileges, click on Assign a role for this user.
  • Configure this user to have a User Management Admin role.

This account will only be used to delegate access to read specific metadata only. You will explicitly grant this access below in step 5.

An existing admin account can be used, but we recommend a separate account in order to segment user accounts from service accounts.

2. Navigate to your Google Workspace admin console. From the console, navigate to Security → API Controls → Manage Domain-wide Delegation. Or, click on this [link](https://admin.google.com/u/4/ac/owl/domainwidedelegation)

3. Click Add New.
4. Set Client ID, to 103428701341105119087. This is the client ID for TrustCloud’s application, which you will be delegating access to.

5. Under Scopes, add the following:
https://www.googleapis.com/auth/admin.directory.user.readonly

This scope ONLY allows TrustCloud to audit your Google Workspace user settings in order to determine adherence to specified controls. It only allows TrustCloud to access user metadata — information about your users and their settings. It does not provide TrustCloud the ability to read any Google Workspace data — we cannot access any emails, view your Google Chat messages, or read your Google Docs. (See this document for a full list of Google Workspace scopes).

6. Click Authorize.

7. Provide the email address from the service account created in step 1 when setting up your credentials in Trust Could. No password or other credentials are required. The email address will be used as a key to identify your GCP account, as well as to delegate the above scopes to the TrustCloud application service account. Only the above-granted scopes will be granted access to the delegated account.

Instructions to add Google Workspace access to your GCP Delegated Account

In setting up Google Workspace to work alongside GCP, you will utilize the same delegation. You can use the same service account created for your Google Workspace, or you can create a new, separate service account.  Once you have your service account:

1. Navigate to your Google Workspace admin console. From the console, navigate to Security → API Controls → Manage Domain-wide Delegation. Or, click on this link (https://admin.google.com/u/4/ac/owl/domainwidedelegation)
2. Find the account “TrustCloud TrustCloud” and click Edit.
3. Ensure the following scope is present. If it is not, add it:
   • https://www.googleapis.com/auth/admin.directory.user.readonly
     This scope ONLY allows TrustCloud to audit your Google Workspace user settings in order to determine adherence to specified controls. It only allows TrustCloud to access user metadata — information about your users and their settings. It does not provide TrustCloud the ability to read any Google Workspace data — we cannot access any emails, view your Google Chat messages, or read your Google Docs. (See this document for a full list of Google Workspace scopes).
4. Click Authorize.
5. Provide the email address from the service account created in step 1 when setting up your credentials in Trust Could. No password or other credentials are required. The email address will be used as a key to identify your GCP account, and will be used to delegate the above scopes to the TrustCloud application service account. Only the above-granted scopes will be granted access to the delegated account.