Google Workspace
Overview
Gain visibility into Google Workspace users, groups, organizational structure, and admin roles to enhance identity governance, improve security posture, and ensure compliance. Monitor user access patterns, organizational hierarchies, and administrative permissions to maintain secure and compliant identity management across your Google Workspace environment.
Configurations
| Configuration | Description |
|---|---|
| Blueprint Account Name | A human-readable name for your account that will be used to identify this account across the application. |
| Service Account JSON | Google Service Account credentials in JSON format with domain-wide delegation enabled |
| Admin Email | Email address of a Google Workspace admin user to impersonate for API calls |
| Customer ID | Google Workspace customer ID (optional, defaults to 'my_customer' for the primary domain) |
| Data Crawl Frequency | The frequency at which Kscope will crawl your Google Workspace account for data. |
Permissions
The Google Workspace blueprint requires a Service Account with domain-wide delegation enabled. Follow these steps to create and configure the service account:
Step 1: Create a Service Account
- Go to the Google Cloud Console
- Select your project or create a new one
- Navigate to IAM & Admin > Service Accounts
- Click Create Service Account
- Enter a name and description for the service account
- Click Create and Continue
- Skip the optional steps and click Done
- Click on the newly created service account
- Go to the Keys tab
- Click Add Key > Create new key
- Select JSON format and click Create
- Save the downloaded JSON file securely (this is your
serviceAccountJSONcredential)
Step 2: Enable Domain-Wide Delegation
- In the service account details, copy the Client ID (a numeric string)
- Go to your Google Workspace Admin Console
- Navigate to Security > Access and data control > API Controls
- Click Manage Domain Wide Delegation
- Click Add new
- Paste the Client ID from step 1
- Add the following OAuth scopes (comma-separated):
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
- Click Authorize
Step 3: Enable Required APIs
- In the Google Cloud Console, navigate to APIs & Services > Library
- Search for and enable the following APIs:
- Admin SDK API
Required OAuth Scopes:
| Scope | Description | Why it's needed |
|---|---|---|
admin.directory.user.readonly | Read user information | Access user profiles, authentication settings, and user lifecycle data |
admin.directory.group.readonly | Read group information | Read group configurations, memberships, and group-based access policies |
admin.directory.orgunit.readonly | Read organizational unit information | Access organizational structure and hierarchy data |
admin.directory.rolemanagement.readonly | Read admin role information | Access admin roles, privileges, and role assignments |
Important Notes:
- The service account must have domain-wide delegation enabled
- You must specify an admin email address to impersonate for API calls
- The admin user being impersonated must have sufficient privileges to access all resources
- Store the service account JSON credentials securely and never commit them to source control
For more details on Google Workspace Admin SDK, refer to the following documentation:
Schema Model
| Resources | Source Entity | Normalized Entity | Description |
|---|---|---|---|
| Google Workspace | googleworkspace | Instance | The Google Workspace instance. |
| Workspace | googleworkspace.workspace | Workspace | The Google Workspace domain. |
| Users | googleworkspace.user.User | User | A Google Workspace user. |
| User External IDs | googleworkspace.user.ExternalID | ExternalID | External identifiers for a user. |
| User Phones | googleworkspace.user.Phone | Phone | Phone numbers for a user. |
| User Locations | googleworkspace.user.Location | Location | Physical locations for a user. |
| User Organizations | googleworkspace.user.Organization | Organization | Organization details for a user. |
| Groups | googleworkspace.group.Group | Group | A Google Workspace group. |
| Group Members | googleworkspace.group.Member | Member | Members of a group. |
| Organizational Units | googleworkspace.orgunit.OrgUnit | OrgUnit | An organizational unit. |
| Admin Roles | googleworkspace.role.Role | Role | An administrative role. |
| Role Privileges | googleworkspace.role.RolePrivilege | Privilege | Privileges assigned to a role. |
| Role Assignments | googleworkspace.roleassignment.RoleAssignment | RoleAssignment | Role assignments to users/groups. |
Resources Crawled
The Google Workspace crawler collects the following information:
Users
- Basic profile information (name, email, user ID)
- Admin and delegated admin status
- Last login time and creation time
- Suspended status and suspension reason
- Organizational unit membership
- 2-step verification status (enrolled and enforced)
- Email aliases
- External IDs (e.g., employee ID)
- Phone numbers
- Physical locations (building, floor, area)
- Organization information (title, department, cost center)
Groups
- Group email and name
- Group description
- Member count
- Admin-created status
- Email aliases
- Group members with roles (OWNER, MANAGER, MEMBER)
- Member types (USER, GROUP, CUSTOMER)
- Member status
Organizational Units
- Organizational unit path and ID
- Name and description
- Parent organizational unit relationships
- Inheritance settings
Admin Roles
- Role name and description
- System role indicator
- Super admin role indicator
- Role privileges with service associations
Role Assignments
- Assigned user or group
- Assignee type (USER or GROUP)
- Scope type (CUSTOMER or ORG_UNIT)
- Organizational unit scope (if applicable)
Use Cases
Identity Governance
- Monitor user lifecycle and access patterns
- Track organizational structure and reporting hierarchies
- Identify dormant or inactive accounts
- Audit admin role assignments and privileges
Security Posture
- Verify 2-step verification enforcement
- Monitor admin user activities
- Track privileged role assignments
- Identify users with elevated permissions
Compliance
- Document organizational structure
- Audit user access and permissions
- Track role-based access control
- Maintain compliance with identity governance policies
Cross-Platform Integration
- Connect Google Workspace users to cloud resources (AWS, GCP, Azure)
- Link Google Workspace groups to application access (GitHub, Jira, etc.)
- Correlate user identities across multiple platforms
- Analyze access patterns across integrated services