Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Permissions required for the Google Drive connector

Overview

When you connect Code42 to Google Drive, you grant Code42 certain permissions in your Google Drive environment. This article lists the permissions Code42 requires as well as what those permissions allow Code42 to do in your Google Drive environment.

Google Drive permissions

Permissions your Google Workspace administrator needs

Code42 uses API client access to connect to and monitor file activity in your Google environment. In order to grant third-party services or applications domain-wide delegation or manage API client access in the Google Admin console, you must be a Google Workspace administrator that has the Super Admin role. Code42 cannot collect data from your Google environment when the connection is authorized by a Google Workspace administrator without this role.

For more information, see Resolve Google Drive security data errors.

Permissions the Code42 service account needs

As a service account, Code42 uses delegated domain-wide authority to collect file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Google Drive environment.

In the configuration steps when you connect Code42 to Google Drive, Code42 provides the following scopes for you to enter in your Google Admin console:

Copied!
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.customer.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly

This set of permissions gives Code42 the access to user information, file metadata, and drives needed to monitor file activity. This set includes manage and write permissions required for the Code42 data connection. However, Code42 is committed to data integrity and does not:

  • Write to or modify content in your cloud storage environment
  • Monitor the contents of files in cloud storage
  • Back up files in cloud storage

Configuring these scopes in the Google Admin console gives the Code42 API client delegated domain-wide authority to your Google Drive environment, and follows Google's recommendation for allowing service accounts to read content from user drives. Because of this authority, audit logs of your Google Workspace environment may show the Code42 Cloud Service account impersonating the owner of each user drive in order to read its contents.

The Code42 data connection uses the /auth/drive scope to allow security analysts to:

More information on file activity
For more information on the specific metadata and file events visible in Forensic Search, see the File event metadata reference.

 

  • Was this article helpful?