1 of 1

Google Drive

Configuring the Veza integration for Google Drive

Overview

The Veza integration for Google Drive discovers shared drives, folders, and permissions within Google Drive file systems.

How It Works

The integration uses a Google Cloud IAM service account to interact with the Google Drive v3 API, enabling it to list Shared Drives, Folders, and folder permissions. The service account needs to be added as a viewer to shared drives to retrieve listings and permissions. New drives the service account is a viewer on are extracted during data source discovery, which runs periodically after configuration.

Custom entity mapping:

Server: Google Workspace
Mount: Shared Drive
Folder: Folder

Drive and Folder Permissions

Google Drive has four roles that can be assigned to Shared Drives or Folders, and they are common between them. The role reference is as follows:

Organizer
File Organizer
Write
Commenter
Viewer

Note: The owner role is not currently supported.

Sharing permissions are associated with Google Workspace Users or Groups based on the role that identity has on the drive/folder.

Additionally properties are discovered for the sharing settings on the mount and drive:

domain_users_only: boolean indicating whether the drive/folder allows anyone in the domain access.
domain_role: string set with the domain shared role if shared.
shared_anyone: boolean indicating whether the drive/folder is shared with anyone with the link.
anyone_role: string containing the shared role if shared.

Google provides multiple settings that can be configured by an Administrator on a Shared Drive that can limit the sharing options and scopes for drives. Veza represents these as properties on each Shared Drive to allow for searching. The table below explains the relationship between the Google setting description and the Veza property.

Google Shared Drive Setting

Veza Property

Value when Checked

"Allow managers to modify shared drive settings"

Admin Managed Restrictions

false

"Allow people outside of {Organization Name} to access files"

Domain Users Only

false

"Allow people who aren't shared drive members to access files"

Drive Members Only

false

"Allow content managers to share folders"

Sharing Folders Requires Organizer Permission

false

"Allow viewers and commenters to download, print, and copy files"

Copy Requires Write Permission

false

Setup

Google Setup

Google Drive connector uses a Google Workspace user to perform discovery. Permissions are granted to Veza to assume this user via an OAuth flow. Integration capabilities depend on the Workspace user's role and the shared drives they can view:

If the Google User is a Super Admin, Veza can discover all Google Drives and permissions. If using a Super Admin, check the Domain Admin Access box when adding the integration to Veza.
If the user is not a Super Admin, then the user must be added as a viewer to each Google Drive the integration will discover.
To discover Folder permissions on a drive, the User must be added as a viewer to the drive, regardless of role.

To create an OAuth app, assign scopes, and retrieve the credentials:

Log into Google Cloud Console https://console.cloud.google.com/
Create a new project https://developers.google.com/workspace/guides/create-project and select that project
Navigate to APIs & Services
Select Enabled APIs & Services from the left and click + Enable APIs and Services from the top to enable a new API
1. Search for "Google Drive API", select it from the results, and select Enable
Return to APIs & Services and select OAuth Consent Screen
Select Internal for the App type and click Create
1. Provide a name and the contact emails
2. Click Save and Continue
3. Click Add or Remove Scopes
4. Add the https://www.googleapis.com/auth/drive.readonly scope
  1. The drive.readonly scope is required to list Shared Drives
5. Click Save and Continue
Return to APIs & Services and select Credentials
1. Create credentials by click + Create Credentials and selecting OAuth Client ID
2. Select Web Application for Application Type and enter a name
3. Under Authorized redirect URLs add https://oauth2-redirect.on.vezacloud.com
4. Save and download the JSON file from the creation modal

Configuring Google Drive on the Veza Platform

In Veza, open the Integrations page.
Click Add New and pick Google Drive as the type of integration to add
Enter the required information and Save the configuration

Field

Notes

Customer ID

Google Workspace ID

Credentials

Credentials JSON file from Google Setup procedure

Domain Admin Access

Check to use Domain Admin privileges during discovery (user must be Super Admin)

Drive Allow List

List of Drive names to discover, if provided drives that do not match this list will be ignored

Drive Deny List

List of Drives to exclude from discovery

Click the Authorize button and complete the flow through the Google consent screens.
After being redirected to the Edit Integration page, save the integration.

Google Drive

Configuring the Veza integration for Google Drive

Overview

The Veza integration for Google Drive discovers shared drives, folders, and permissions within Google Drive file systems.

How It Works

Custom entity mapping:

Server: Google Workspace
Mount: Shared Drive
Folder: Folder

Drive and Folder Permissions

Google Drive has four roles that can be assigned to Shared Drives or Folders, and they are common between them. The role reference is as follows:

Organizer
File Organizer
Write
Commenter
Viewer

Note: The owner role is not currently supported.

Sharing permissions are associated with Google Workspace Users or Groups based on the role that identity has on the drive/folder.

Additionally properties are discovered for the sharing settings on the mount and drive:

domain_users_only: boolean indicating whether the drive/folder allows anyone in the domain access.
domain_role: string set with the domain shared role if shared.
shared_anyone: boolean indicating whether the drive/folder is shared with anyone with the link.
anyone_role: string containing the shared role if shared.

Google Shared Drive Setting

Veza Property

Value when Checked

"Allow managers to modify shared drive settings"

Admin Managed Restrictions

false

"Allow people outside of {Organization Name} to access files"

Domain Users Only

false

"Allow people who aren't shared drive members to access files"

Drive Members Only

false

"Allow content managers to share folders"

Sharing Folders Requires Organizer Permission

false

"Allow viewers and commenters to download, print, and copy files"

Copy Requires Write Permission

false

Setup

Google Setup

If the Google User is a Super Admin, Veza can discover all Google Drives and permissions. If using a Super Admin, check the Domain Admin Access box when adding the integration to Veza.
If the user is not a Super Admin, then the user must be added as a viewer to each Google Drive the integration will discover.
To discover Folder permissions on a drive, the User must be added as a viewer to the drive, regardless of role.

To create an OAuth app, assign scopes, and retrieve the credentials:

Log into Google Cloud Console https://console.cloud.google.com/
Create a new project https://developers.google.com/workspace/guides/create-project and select that project
Navigate to APIs & Services
Select Enabled APIs & Services from the left and click + Enable APIs and Services from the top to enable a new API
1. Search for "Google Drive API", select it from the results, and select Enable
Return to APIs & Services and select OAuth Consent Screen
Select Internal for the App type and click Create
1. Provide a name and the contact emails
2. Click Save and Continue
3. Click Add or Remove Scopes
4. Add the https://www.googleapis.com/auth/drive.readonly scope
  1. The drive.readonly scope is required to list Shared Drives
5. Click Save and Continue
Return to APIs & Services and select Credentials
1. Create credentials by click + Create Credentials and selecting OAuth Client ID
2. Select Web Application for Application Type and enter a name
3. Under Authorized redirect URLs add https://oauth2-redirect.on.vezacloud.com
4. Save and download the JSON file from the creation modal

Configuring Google Drive on the Veza Platform

In Veza, open the Integrations page.
Click Add New and pick Google Drive as the type of integration to add
Enter the required information and Save the configuration

Field

Notes

Customer ID

Google Workspace ID

Credentials

Credentials JSON file from Google Setup procedure

Domain Admin Access

Check to use Domain Admin privileges during discovery (user must be Super Admin)

Drive Allow List

List of Drive names to discover, if provided drives that do not match this list will be ignored

Drive Deny List

List of Drives to exclude from discovery

Click the Authorize button and complete the flow through the Google consent screens.
After being redirected to the Edit Integration page, save the integration.

Google Drive

Overview

How It Works

Drive and Folder Permissions

Shared Drive Sharing Settings

Setup

Google Setup

Configuring Google Drive on the Veza Platform

Google Drive

Overview

How It Works

Drive and Folder Permissions

Shared Drive Sharing Settings

Setup

Google Setup

Configuring Google Drive on the Veza Platform