Google Suite Integration

Transcend integrates with Google Workspace (formerly G Suite) and several individual native Workspace apps.

Transcend's Google Workspace integration provides functionality to discover data sources connected to an organization's Workspace. In addition to internal Workspace apps, it's common for companies to integrate many of their SaaS tools and data systems with Workspace. Whether it's integrating external apps for collaboration and efficiency, or using Google as an Identity Provider for SSO to external tools, it's likely that many data systems are connected to Workspace. As a result, Google Workspace can be used as a central place to pull a list of the systems where data is stored.

In addition to the Google Workspace Silo Discovery integration, Transcend supports integrations with individual Workspace apps to automate DSR fulfillment and provide discovery functionality. These include:

  • Google Docs
  • Google Slides
  • Google Sheets,
  • Google Forms,
  • Gmail
  • Google Ads
  • Google Analytics (for Identity Enrichment)
  • Google Drive (for discovery)

Once integrated and connected, DSR Automation configured to run through these integrations will perform the desired data action on the matched individual within those data silos. This functionality relies on Google Vault, which enables searching for personal information within Google workfspace files.

Some of Transcend's Google integrations are authenticated with a Service User account and some use OAuth to connect with a person user account. It's initially quicker to connect an integration with a person account, however a Service User account is a more secure option for integrations that require sensitive scopes or permissions that may not otherwise be given to a person user. The next sections break out the Google integrations that are connected with a person account and those with a service account, as the configuration for each type is the same.

  1. Your organization has a Google Vault license.
  2. You have access to your organization's Google Cloud Console, have permissions to create a new project, and provision a service account.
  3. You have access to the Google Admin Console, with permissions to modify Security Settings for your organization.
  4. You have access to an admin account in your organization with the permissions listed below. You can use an existing admin account or create a dedicated admin role & account with these privileges:
    • Google Vault: Manage Searches
    • Google Vault: Manage Exports
    • Google Vault: Manage Matters
    • Google Vault: Manage Audits
    • Read Organizational Units
    • Read Users
    • Read Groups

Transcend's Google Workspace, Google Forms, Gmail, Ads, and Analytics integrations are authenticated using an OAuth protocol with a person user account. Connecting each of these integrations requires that a user with the admin permissions described above logs in with the same credentials used to log in to Google Workspace or the Admin Console.

It's worth noting that the user connecting the integrations must be the same user logged in to Google. The initial connection will error if you try to connect the integration with a user that's different from the one you're currently logged in to Google with. This can happen if you're logged in to Google with a personal account but try to connect the integration with a different user account.

Transcend's Google Docs, Sheets, and Slides integrations use a client credentials method to authenticate. There are a few steps involved to create a Service User account and generate credentials specific to your Google organization.

The following setup steps can be used for configuring Docs, Sheets and Slides integrations.

Provision a Project and Service Account

  1. Create a new project. Create a dedicated project for the integration in your organization's Google Cloud Console, and enable the following APIs:

    If a GCP project was previously created for another Transcend Google integration, there's no need to create another project. Feel free to use the existing project.

  2. Create a service user account. Transcend recommends creating a dedicated service user account for each integration that will be connected, even if another service user has been configured for another Transcend integration. Creating a service user with limited scope for each integration reduces the risk of superpowered accounts. For example, if Google Docs and Google Sheets integrations will be connected, provision a service user for each integration.

    Navigate to the "IAM & Admin" tab for the desired project and select "Service Accounts" > select Create Service Account. Give the service account a name you'll remember, for example, "transcend-googledocs-integration".

    • You don't need to grant this service account any specific IAM roles or permissions.
    • Make note of the email address associated with this service account - you'll need it when connecting the integration.

  3. Source the client ID. Once the service account is created, select "Enable G Suite Domain-wide Delegation", and make note of the unique Client ID, as you will need to refer to this later.

  4. Generate a private key. A set of public-private key pairs for this account is needed to be used in the Transcend Connection form. You can create the key by:

    • Visiting the "Key" tab in the service account's settings page and selecting Add Key. Make sure to select JSON as the key type.
    • This will download a key file to your computer. You will need the JSON key file during the connection phase for the integration - Transcend only supports key files generated in the JSON format.

Transcend recommends using a different service account for each Google Workspace integration you connect.

Allowlist the Service Account

Once a dedicated service account is provisioned, the next step is to give it access to call the appropriate APIs in the Google organization.

  1. Go to your organization's Google Admin Console
  2. From the navigation menu, select Security > Access and data controls > API Controls.
  3. Select Manage Domain Wide Delegation.
  4. Add a new "API Client", and in the form enter the Client ID of the Service Account noted in Step 3 of the previous section.
  5. Add the following OAuth scopes, as comma-separated values: https://www.googleapis.com/auth/ediscovery,https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly.
  6. For the Unstructured Discovery plugin in the Google Drive integration, please make sure to include the following two additional OAuth scopes: https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/drive.apps.readonly.
  7. Click "Authorize".

Complete Transcend's Connection Form

To complete authentication for the integration, navigate back to the Transcend dashboard and enter the following fields in the integration connection form:

  • Administrator Account Email Address
    • Email address of a user that can run and manage Google Vault Searches, and Exports. This is usually an admin or account owner.
  • Service Account Email Address
    • This is for the service user that was created for the integration.
  • Service Account Private Key
    • This comes from the JSON key downloaded in setup. The integration connection form does not take the entire JSON object in the file, only the value for the private key. To obtain the private key:
      • Open the File in a text editor (TextEdit, VScode, etc.)
      • Look for the private key field and copy everything between the quotes.
      • The key needs to be formatted before pasted into the connection form. The key itself is formatted with line breaks defined by \n. The easiest way to format this correctly is to copy the key into a new editor and do a "find & replace", where the “replace” value is an Enter or Return.
      • Copy the formatted key value into the connection form.
      • Connect the integration.

Read more on Connecting integrations.