User Guides Aiimi

Google Drive

Connect your Google Drive system to Aiimi Insight Engine to make the most of the data.

Public and Private Google Drives must be configured separately.

Prerequisites

Your Google cloud environment must be configured to allow the connector access to various APIs, services and scopes. Before running the Google Drive Connector these 5 things must be in place.

Google Cloud Project

Aiimi Insight Engine's Google Drive Connector needs a project. A Google Cloud Project is required for Google Cloud Services such as managing APIs and resource permissions.

For information on creating a project see Google's documentation on creating and managing projects. (https://cloud.google.com/resource-manager/docs/creating-managing-projects)

Required APIs

Aiimi Insight Engine's Google Drive Connector requires 3 APIs to be enabled on the relevant project.

  1. Activity API

  2. Google Drive API

  3. Admin SDK API

For information on enabling APIs see Google's documentation on enabling an API in your Google Cloud project. (https://cloud.google.com/endpoints/docs/openapi/enable-api)

Service Account

A service account associated with the relevant project is needed to perform tasks for the connector. The delegated user used in conjunction with the Service Account Credentials need 2 custom roles. These roles will need relevant Admin privileges granted.

Custom role examples:

Google Drive Connector Role This can be Organisational Unit specific. Admin API Privileges - Users - Read

Google Drive Connector Groups This is for all Organisational Units. Groups are domain wide and not limited to a unit. Admin API Privileges - Groups - Read

Further Information

Any role intended to be Organisation Unit specific can only include the following privileges:

  1. Users

  2. User Security Management

  3. Organizational Units

  4. Chrome Management

  5. Shared device settings

Personal Google Drives - The delegated user will be limited to Personal Google Drives within their Organisational Unit. This ensures only the intended drives are discovered and crawled by Aiimi Insight Engine.

Shared/Team Drives - The delegated user must be a member with at least "Viewer" level access of each drive. This ensures only the intended drives are discovered and crawled by Aiimi Insight Engine.

For last access dates - There are 3 additional settings needed on the service account to track Google Last Access Dates. The Admin SDK API must be enabled for your Service Account. It must have a new custom role with Admin Console privilege of Reports. It must have read only access to the audits. https://www.googleapis.com/auth/admin.reports.audit.readonly

Please note, these capabilities will be ignored if Calculate Last Accessed Date for Deltas is not enabled.

For file actions such as Delete - The delegated user must be a "Manager" of the relevant drive. Only "Managers" are able to delete files from a Shared Google Drive. This ensures that only the Shared Drives connected to Aiimi Insight Engine can have files deleted.

For more information on service accounts see Google's documentation on Creating a service account. (https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)

API Secret Key

Your service account will require an API secret key to allow a secure connection. The secret key will be used as a secret only credential in Aiimi Insight Engine.

We recommend you download the key as a JSON file when prompted.

Once generated your private key will be downloaded to your machine. You must store this securely as google do not store it and cannot regenerate it.

Once the JSON is downloaded, use it's contents to create a secret only credential in Aiimi Insight Engine.

For support setting up a secret only credential see our guide on creating secret only credentials.

For more information on assigning keys see Google's documentation on Creating a service account. (https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)

Client Domain-Wide Delegation

To get the most out of your connection the service account must have domain-wide delegation and the correct scopes authorised.

A super admin must delegate domain-wide authority ensuring the correct Client ID is used for the service account.

The following scopes are required:

For more information on delegating authority see Google's documentation on Delegating domain-wide authority (https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority)

Connecting Google Drive with Aiimi Insight Engine

The GoogleDirectory security must be configured before. See our guide on Configuring the Google Directory Security.

  1. Source System: Select Google Drive Public or Google Drive Personal from the dropdown.

Connection

  1. Select Credential: Select the credential with the service account details for your Google Drive project.

  2. Delegated User: Enter the username of the Service Account user used for domain level operations.

Security Synchronisation

  1. Security Configuration: Select the security configuration the crawler will use to synchronise Google Directory and Aiimi Insight Engine users.

Drives

Indexing

  1. Permissionless Crawl: Check this to not retrieve file permissions.

    • This will improve performance, but impact security as permissions will not be tracked.

  2. Calculate Last Accessed Date for Deltas: Check this to update the last known accessed dates during a delta crawl.

    • There are additional service account requirement needed for this. See the service account section above for more details.

    • This date is only kept by Google for 180 days. We revert to the last modified date if this date is empty.

    • Enabling this will impact performance.

  3. Crawlable Drives List: Add all the Google Drives that will be crawled.

    • Add usernames for personal drives. For example user@domain.com.

    • Add the drive IDs for public drives.

  4. Uncrawlable Drives List: Add the Google Drives that will not be crawled.

    • Add usernames for personal drives. For example user@domain.com.

    • Add the drive IDs for public drives.

Deleting

  1. Delete Orphaned Drives: Check this to remove any orphaned Google Drives from Aiimi Insight Engine.

Advanced

Parallelism

  1. Parallel Drive Crawling: Enter the maximum number of drives that should be crawled at once.

  2. Parallel Folder Crawling: Enter the maximum number of folders, from one drive, that should be crawled at once.

  3. Parallel Folder Query: Enter the number of Elastic queries, from one drive, that should be crawled at once. This can impact the Elastic performance.

  4. Parallel Drive Deletion: Enter the number of folders that can be deleted at once. This can impact the Elastic performance.

PreviousGoogle BucketNextGoogle Vault

Last updated