# Google Workspace IAM only In this guide, you will set up a trusted relationship between Radiant and your Google Workspace account to allow Radiant to retrieve user and group IAM information and email activity. At the end of this configuration, you will provide Radiant Security with the following information: * **Delegate User Email** * **API key (in JSON file format)** ### License Requirements To collect only IAM information, the account will need to have ***one*** of the following Google Workspace plans: * Enterprise * Education Standard * Education Plus * Business Plus To verify your current license plan, visit [`https://admin.google.com/ac/billing/subscriptions`](https://admin.google.com/ac/billing/subscriptions) from an account with admin-level access. ### Prerequisites To complete the steps below, the logged-in user must have the following permissions/roles: * [ ] Role: `Super Administrator` * [ ] Role: `roles/resourcemanager.projectIamAdmin` * [ ] Permission: `resourcemanager.projects.create` ### Create a new project in Google Cloud 1. Access the Google Cloud console. 2. On the **Select organization** drop-down list at the top of the page, click **New** **project** to create a new project. * **Project name**: `{your organization's name}-iam-logs` 3. Ensure other fields are correctly defined. 4. Copy the **Project ID**. 5. Click **Create**. 6. Select the newly created project from the drop-down list at the top of the page. 7. From the left side menu, navigate to **APIs & Services** > **Library** and enter `Admin SDK API` in the search bar. Alternatively, you can use the top search bar to navigate to the Library page. 8. Select **Admin SDK API** and click **Enable.** 9. Return to the Library (**APIs & Services** > **Library)** and search for `Cloud Identity`. 10. Select **Cloud Identity** and click **Enable.** 11. From the left side menu, navigate to **APIs & Services** > **OAuth Consent Screen** 12. Click **Get Started** 13. Define the app with the following fields: * **App name**: `radiant-iam-logs` * **User support email**: `` 14. Click **Create** ### Create a new service account You must provide a dedicated Service account in your Google Cloud to ingest the data. The service account should have the permission(s) required to read the data you want to feed into Radiant Security. 1. While still in the Google Cloud console, navigate to **IAM & Admin** > **Service Accounts.** Alternatively, you can use the top search bar to navigate to the Service Accounts page. 2. Click + **Create service account** and add the following information: * **Service account name**: `radiant-connector` 3. Click **Create and Continue**. 4. Click **Done** to save the user. 5. Click on the newly created service account `radiant-connector` to edit it. 6. Navigate to **Keys** > + **Add key** > **Create new key**. 7. Select **JSON** and then click **Create**. 8. The API key is automatically downloaded. {% hint style="info" %} **Note**: Your new public/private key pair is generated and downloaded to your machine as a new file. This file is the only copy of this key. This file will be uploaded to Radiant Security at the end of the guide. For information about how to store your key securely, see [Managing service account keys](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys). {% endhint %} ### Grant access to the service account To call APIs in a Google Workspace, the new service account needs to be granted domain-wide delegation of authority in the Google Workspace Admin console by a super administrator account. For more information, see [Delegating domain-wide authority to a service account](https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority). 1. On the **Service** **Accounts** page, click on the newly created service account `radiant-connector` to edit it. 2. On the **Details** tab, expand **Advanced settings** section and copy the `Client ID`. 3. Click **View Google Workspace Admin Console**. 4. From the left side menu, navigate to **Security** > **Access and data control** > **API Controls**. 5. Click **Manage Domain-wide Delegation**. 6. Click **Add new** and paste the `Client ID` you copied from step 2. 7. In the **OAuth Scopes** field, copy and paste the following permissions: ```bash https://www.googleapis.com/auth/admin.directory.domain.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, ``` 8. The specific permissions for each Google OAuth scope are listed in the following table: | OAuth Scope | Functionality | | --------------------------------------- | ---------------------------- | | admin.directory.domain.readonly | Get users on the domain | | admin.directory.group.readonly | Get user group memberships | | admin.directory.rolemanagement.readonly | Get user roles | | admin.directory.user.readonly | Get user profile information | 9. Click **Authorize**. ### Create a Google Workspace read-only admin role and delegated user {% hint style="warning" %} **Important note:** In order for the Google Workspace APIs to be used by the service account, a delegate Google Workspace account that has all of the privileges needed by the APIs is required. This is an account within the Google Workspace environment, and is not the same as the service account created previously. For more information check out [Delegating domain-wide authority to the service account](https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority). {% endhint %} 1. Log in to the **Google Admin** console. 2. From the left side menu, navigate to **Account > Admin Roles**. 3. Click on **Create new role**. 4. Give the role the name **Radiant Read Only** and select **Continue**. 5. Scroll down to **Admin API privileges** 6. Select the following privileges: * **`Organizational Units -> Read`** * **`Users -> Read`** * **`Groups -> Read`** 7. On the review screen, verify that all permissions are present and click **Create Role**. 8. Once the role's created, it needs to be assigned to a new or existing Google Workspace account. On the **Roles** page for the new role, click **Assign members** to assign this role to a service account that will be used for the Radiant Security Delegate User Email. ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, select **Settings > Data Connectors** and click **+ Add Connector**. 3. Search for and select the **Google Workspace** option and then click **Data Feeds**. 4. Select **Google IAM**. 5. Add the following values from the previous steps: * **BigQuery Project ID**: `{your organization's name}-iam-logs` * **BigQuery Dataset Name**: `-` * **Delegate User Email**: The service account that has the **Radiant Security Read Only** admin role * **Upload the JSON File** 6. Click **Add Connector** to save the connector configuration. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/google-workspace-iam-only.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.