Permissions required for the Google Drive connector
When you connect Code42 to Google Drive, you grant Code42 certain permissions in your Google Drive environment. This article lists the permissions Code42 requires as well as what those permissions allow Code42 to do in your Google Drive environment.
Google Drive permissions
Permissions your Google Workspace administrator needs
Code42 uses API client access to connect to and monitor file activity in your Google environment. In order to grant third-party services or applications domain-wide delegation or manage API client access in the Google Admin console, you must be a Google Workspace administrator that has the Super Admin role. Code42 cannot collect data from your Google environment when the connection is authorized by a Google Workspace administrator without this role.
For more information, see Resolve Google Drive security data errors.
Permissions the Code42 service account needs
As a service account, Code42 uses delegated domain-wide authority to collect file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Google Drive environment.
In the configuration steps when you connect Code42 to Google Drive, Code42 provides the following scopes for you to enter in your Google Admin console:
https://www.googleapis.com/auth/admin.directory.domain.readonly https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.customer.readonly https://www.googleapis.com/auth/admin.reports.usage.readonly https://www.googleapis.com/auth/drive.readonly https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.reports.audit.readonly
This set of permissions gives Code42 the access to user information, file metadata, and drives needed to monitor file activity. This set includes manage and write permissions required for the Code42 data connection. However, Code42 is committed to data integrity and does not:
- Write to or modify content in your cloud storage environment
- Monitor the contents of files in cloud storage
- Back up files in cloud storage
Configuring these scopes in the Google Admin console gives the Code42 API client delegated domain-wide authority to your Google Drive environment, and follows Google's recommendation for allowing service accounts to read content from user drives. Because of this authority, audit logs of your Google Workspace environment may show the Code42 Cloud Service account impersonating the owner of each user drive in order to read its contents.
The Code42 data connection uses the
/auth/drive scope to allow security analysts to:
- Temporarily view cloud storage files in an investigation
- View a cloud storage file's sharing permissions to assess risk when a file is shared either publicly or with untrusted users
For more information on the specific metadata and file events visible in Forensic Search, see the File event metadata reference.