Google Workspace IAM only

In this guide, you will set up a trusted relationship between Radiant and your Google Workspace account to allow Radiant to retrieve user and group IAM information and email activity.

At the end of this configuration, you will provide Radiant Security with the following information:

• Delegate User Email

• API key (in JSON file format)

License Requirements

To collect only IAM information, the account will need to have one of the following Google Workspace plans:

• Enterprise

• Education Standard

• Education Plus

• Business Plus

To verify your current license plan, visit https://admin.google.com/ac/billing/subscriptions from an account with admin-level access.

Prerequisites

To complete the steps below, the logged-in user must have the following permissions/roles:

• Role: Super Administrator

• Role: roles/resourcemanager.projectIamAdmin

• Permission: resourcemanager.projects.create

Create a new project in Google Cloud

1. Access the Google Cloud console.

2. On the Select organization drop-down list at the top of the page, click New project to create a new project.

   1. Project name: {customer name}-iam-logs

3. Ensure other fields are correctly defined.

4. Copy the Project ID.

5. Click Create.

6. Select the newly created project from the drop-down list at the top of the page.

7. From the left side menu, navigate to APIs & Services > Library and enter Admin SDK API in the search bar. Alternatively, you can use the top search bar to navigate to the Library page.

8. Select Admin SDK API and click Enable.

9. Return to the Library (APIs & Services > Library) and search for Cloud Identity.

10. Select Cloud Identity and click Enable.

11. From the left side menu, navigate to APIs & Services > OAuth Consent Screen

12. Click Get Started

13. Define the app with the following fields:

    1. App name: radiant-iam-logs

    2. User support email: <select the appropriate user>

    3. Audience: Select Internal

    4. Developer contact email address: <select the appropriate user>

14. Click Create

Create a new service account

You must provide a dedicated Service account in your Google Cloud to ingest the data. The service account should have the permission(s) required to read the data you want to feed into Radiant Security.

1. While still in the Google Cloud console, navigate to IAM & Admin > Service Accounts. Alternatively, you can use the top search bar to navigate to the Service Accounts page.

2. Click + Create service account and add the following information:

   1. Service account name: radiant-connector

3. Click Create and Continue.

4. Click Done to save the user.

5. Click on the newly created service account radiant-connector to edit it.

6. Navigate to Keys > + Add key > Create new key.

7. Select JSON and then click Create.

8. The API key is automatically downloaded.

Grant access to the service account

To call APIs in a Google Workspace, the new service account needs to be granted domain-wide delegation of authority in the Google Workspace Admin console by a super administrator account. For more information, see Delegating domain-wide authority to a service account.

1. On the Service Accounts page, click on the newly created service account radiant-connector to edit it.

2. On the Details tab, expand Advanced settings section and copy the Client ID.

3. Click View Google Workspace Admin Console.

4. From the left side menu, navigate to Security > Access and data control > API Controls.

5. Click Manage Domain-wide Delegation.

6. Click Add new and paste the Client ID you copied from step 2.

7. In the OAuth Scopes field, copy and paste the following permissions:

   Copy

   https://www.googleapis.com/auth/admin.directory.domain.readonly,
   https://www.googleapis.com/auth/admin.directory.group.readonly,
   https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
   https://www.googleapis.com/auth/admin.directory.user.readonly,

   OAuth Scope

   Functionality

   admin.directory.domain.readonly

   Get users on the domain

   admin.directory.group.readonly

   Get user group memberships

   admin.directory.rolemanagement.readonly

   Get user roles

   admin.directory.user.readonly

   Get user profile information

8. Click Authorize.

Create a Google Workspace read-only admin role and delegated user

1. Log in to the Google Admin console.

2. From the left side menu, navigate to Account > Admin Roles.

3. Click on Create new role.

4. Give the role the name Radiant Read Only and select Continue.

5. Scroll down to Admin API privileges

6. Select the following privileges:

   • Organizational Units -> Read

   • Users -> Read

   • Groups -> Read

7. On the review screen, verify that all permissions are present and click Create Role.

8. Once the role's created, it needs to be assigned to a new or existing Google Workspace account. On the Roles page for the new role, click Assign members to assign this role to a service account that will be used for the Radiant Security Delegate User Email.

Add the data connector in Radiant Security

1. Log in to Radiant Security.

2. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

3. Search for and select the Google Workspace option and then click Data Feeds.

4. Select Google IAM

1. Add the following values from the previous steps:

   • BigQuery Project ID: {customer name}-iam-logs

   • BigQuery Dataset Name: -

   • Delegate User Email: The service account that has the Radiant Security Read Only admin role

   • Upload the JSON File

2. Click Add Connector to save the connector configuration.