Google - Authentication

UX = dope.security. That's why it takes seconds to get CASB Neural scanning your Google Drive.

Authentication

Under CASB, select Google. Self-enroll with the URL or send it to your Google admin.

Google Authentication Link to be used by Admin

Your Google admin will need to copy & paste permissions into the Google admin console (Underneath API Controls -> Domain-Wide Delegation)

Admins must copy/paste this information into the Workspace Admin Console

These are the required Google scopes

"https://www.googleapis.com/auth/drive", "https://www.googleapis.com/auth/admin.directory.user", "https://www.googleapis.com/auth/admin.directory.domain.readonly", "https://www.googleapis.com/auth/admin.directory.customer.readonly", "https://www.googleapis.com/auth/drive.activity.readonly", "https://www.googleapis.com/auth/admin.directory.group.readonly", "https://www.googleapis.com/auth/admin.directory.user.readonly", "https://www.googleapis.com/auth/admin.directory.user.security", "https://www.googleapis.com/auth/admin.reports.audit.readonly", "https://www.googleapis.com/auth/gmail.settings.basic",

Scope
Purpose

admin.directory.user

admin.directory.domain.readonly admin.directory.customer.readonly admin.directory.group.readonly admin.directory.user.readonly

Retrieves group member information for user/group import, identify posture (2FA/Admin) for CASB Neural SSPM

admin.directory.user.security

Retrieves OAuth tokens and allows deletion for CASB Neural SSPM

admin.reports.audit.readonly

Retrieves logs for OAuth apps for CASB Neural SSPM

gmail.settings.basic

Retrieves mail rules (not email content) to find suspicious mail rules for CASB Neural SSPM

drive drive.activity.readonly

Retrieves drive information for CASB Neural DLP

About Google Admin Console Configuration

Because of CASB Neural's sensitive permissions, the scopes are added to Domain Wide Delegation page. It's under: Security > API Controls > MANAGE DOMAIN WIDE DELEGATION in the Google Admin Console.

From here, you will add a new domain-wide delegation to their account. This includes CASB Neural's client ID and the required scopes (provided).

See Google help docs here

Google Workspace Super Admin Email

The final step is to provide the Google Workspace super admin email

Add the super admin email used here.

Once the correct email is entered, you're done! It's that simple. dope.security will now scan your tenant, uncover any publicly shared files with sensitive data, and classify them.

SSPM Coming Soon: Uncover all third-party apps connected to your Microsoft 365 or Google SaaS tenant, neatly organized by access type: global, limited, or login access.

Last updated