Google Drive
Connecting Google Drive to LightBeam
Last updated
Connecting Google Drive to LightBeam
Last updated
LightBeam Spectra users can connect various data sources to the LightBeam application and these data sources will be continuously monitored for PII, PHI data.
Example: Google Drive, OneDrive, SharePoint, etc
Login to your LightBeam Instance.
Click on DATASOURCES on the Top Navigation Bar.
Click on “Add a data source”.
Search for “Google Drive”.
Click on Google Drive.
Fill in the requested information and click on Next.
Data Source Name: This is the unique name given to the data source.
Description: This is an optional field needed to describe the use of this data source.
Primary Owner: Email address of the person responsible for this data source which will get alerts by default.
Entity Creation: LightBeam Spectra detects and associates attributes based on the context and identifies whose data it is; these are called entities. Example: Jane Doe is an entity for whom LightBeam Spectra might have detected Name and SSN in a monitored data source.
Source of Truth: LightBeam Spectra would have monitored data sources that contain data acting as a single point of truth and that can be used for looking up entities/attributes which help to identify if the other attributes/entities found in any other data source are accurate or not. A Source of Truth data set would create entities based on the attributes found in the data.
Location: The location of the data source.
Purpose: The purpose of the data being collected/processed.
Stage: The stage of the data source. Example: Source, Processing, Archival, etc.
Provide the credentials as shown below and click on Test Connection.
Verify that you get the message Connection Success! on the screen. Click on Next.
In this step, you can choose either of three scan setting options –
i) Scan all Drives
ii) Scan selected Drives
iii) Scan folder
To choose option (i), select Scan all Drives, and click on Save.
To choose option (ii), select Scan selected drives. Now enter the names of the drives that you would like to include for scanning in the Search box individually.
Select the drives by ticking the checkboxes next to them.
Click on Save.
To choose option (iii), select Scan folder.
This is a two-fold process:
To add the drive containing the folder you want to scan, first follow the instructions in option (ii).
Now enter the ID of the folder that you would like to include for scanning in the Search box. ID can be found the folder URL. Example: https://drive.google.com/drive/folders/<Folder_ID>
Click on Save.
Now we are ready to browse through onboarded Google Drive data source dashboard.
This document describes the steps to generate the service account json required to connect to and call Google APIs to access various Google services.
Success Tip: Depending on the services you plan to use, choose the corresponding subscription plan for your GSuite account. You must select the GSuite Business subscription if you want a use case to access Audit API reports, let users create shared drives, etc.
Make sure the following APIs are enabled:
Google Drive API
Admin SDK API
Gmail API
Drive Labels API
Click on CONFIGURE CONSENT SCREEN which is shown at the top as a warning. Choose User Type as Internal and click on CREATE.
Give a name to your application. e.g. demo-application.
Choose/Write the logged-in admin user’s email as the value for the mandatory fields of User support email and Developer contact information.
Click on SAVE AND CONTINUE.
Skip the next screens and come back to the Credentials page.
Create a service account. Click on the CREATE CREDENTIALS > Service account.
Give a name and description and click on CREATE.
Select a role for this service account. You might see an option labeled 'Currently used', and the role value could be 'Owner'. This is because we've logged in using an admin account and created the project. Click on CONTINUE.
You can also add more users (apart from the logged-in admin user) to the service account. This step is optional.
Click on DONE.
You will now be redirected to the credentials page and observe that a service account is created. Click to edit the created service account.
In the pre-selected DETAILS tab, click on the advanced settings drop-down
CREATE GOOGLE WORKSPACE MARKETPLACE- COMPATIBLE OAUTH CLIENT
There is another section called Keys.
Click on ADD KEY → Create new key → Choose Key type as JSON → CREATE.
A service account JSON will be downloaded.
This file will be used as <inputfile> in the last command mentioned in the document.
You will see that an Oauth 2.0 Client ID is created as a result of the previous step of creating a service account.
Sign in with an administrator account.
click on Main Menu (This is located at the top left section of the page and is a hamburger menu option) → Security → Access and Data control → API Controls.
Click on Manage domain-wide delegation.
You will see a screen where all the clients for your account are listed. You will need to add scopes for the newly created client whose Client Id has already been copied to your clipboard (see annotated text above in Create Service Account). Here, click on Add new.
Paste the Client Id in the corresponding placeholder.
Enter the below OAuth scopes in a comma-separated fashion in the second field:
Click on AUTHORIZE.
Then, select the configured client and click on “view details” to make sure all OAuth scopes are configured correctly, it should look like:
Fetch the Auth Values to connect to LightBeam
base64 -i inputfile -o outfile
OR
openssl base64 -A -in <inputfile> -out <outfile>
Save the outfile which will be needed while onboarding the datasource.
After the generation of the service account JSON, one needs to use the same while onboarding the Google Drive datasource into LightBeam. We explain the steps for this in the following section.
To onboard the Google Drive datasource in LightBeam we need the following:
Delegated credentials.
The following explains the meaning of delegate credentials and their use with LightBeam:
Delegated credentials:
This field is the email address of the user who is the Google account admin for the organization. In most cases, this email id is the same as that of the user who helped generate the service account credentials. If not the admin, the email id must be of a user who at minimum has permission for Groups and Services in the Admin portal. Attached below is a screenshot of how the config for this kind of user would look in the Admin portal.
How does LightBeam use the Delegated credentials?
For accessing the Gmail data of users in the organization a service account is created, and it needs to be given domain-wide delegation. Domain-wide delegation allows a service account to access user data on behalf of any user in a Google Apps domain without requiring consent from every user. This email represents the user on behalf of whom the service account would be accessing various google api calls like listing users, drives etc.
LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.
Note: To get the Google Drive data source details please check .
As a Google Admin User: Create a project if the one needed does not exist already:
Select the newly created project and click on ENABLE APIS AND SERVICES on this link .
Generate credentials on
Go to the credential page URL
To sign in to , use an administrator account for a managed Google service, such as Google Workspace or Cloud Identity.
On the page with the same logged-in admin user,
,
,
,
,
,
,
,
,
,
,
,
Above is Including scope for .
Base64 encoded value of the service account json created (using the steps listed )
For any questions or suggestions, please get in touch with us at: .
