G Suite

This page describes how to enable the data collection of G Suite for processing by Forseti Inventory.

Before you begin

To complete this guide and enable a service account in your G Suite admin control panel, you must have the super admin role in admin.google.com.

Enable Domain-wide Delegation (DwD) in G Suite

To enable collection of G Suite data using your existing Forseti service account, follow the steps below. Read more about domain-wide delegation.

Enable DwD on a service account

  1. Go to the Google Cloud Platform (GCP) Console Service accounts page.

    1. On the right side of the Forseti GCP server service account row, under Options, click More > Edit.

      Service Account Edit

    2. On the Edit service account dialog that appears, select the Enable G Suite Domain-wide Delegation checkbox, then click Save. NOTE: You may see a field entitled “Product name for the consent screen”. You cannot leave this field blank.

      Service Account Enable DwD

  2. On the service account row, click View Client ID.

  3. On the Client ID for Service account client page that appears, copy the Client ID value, which will be a large number.

    service account panel with client ID highlighted

Enable the service account in your G Suite admin control panel.

  1. Go to your Google Admin Manage API client access Security settings.
  2. In the Client Name box, paste the Client ID you copied above.
  3. In the One or More API Scopes box, paste the following scope:

  4. Click Authorize.

    manage api client access in Google Admin Security settings

Configuring Forseti to collect G Suite data

After you set up your service account above, you may need to edit the domain_super_admin_email field in your forseti_conf_server.yaml.

If you are running Forseti on GCP and made any changes to the above values, you will need to copy the conf file to the Cloud Storage bucket. For more information, see Moving configuration to Cloud Storage.