AvePoint Learn
Request an article
Contact support
Request an article
Contact support

Home > Get Started > Create App Profiles

Download this article

Create App Profiles

To create a custom Google app to connect Confidence Platform for Google to your Google tenant, you can refer to the following sections for the required permissions and configurations for your custom app.

For details on how to create a Google app, refer to the Create a Custom Google App section in the AvePoint Online Services user guide. When the app is in place, refer to the Create an App Profile and Consent to a Custom Google App sections to configure an app profile for the custom Google app.

For details custom Google app permissions required by each module on this platform, refer to the following sections.

Permissions for Administration

To ensure the data retrieval and management in the Administration module, complete the following configurations:

  1. Enable the following APIs in the projects where the Google service accounts are created:

    • Admin SDK API

    • Cloud Identity API

    • Enterprise License Manager API

    • Google Drive API

    • Group Settings API

  2. Configure the following scopes in the OAuth scopes field:

    ScopePurpose
    https://www.googleapis.com/auth/admin.datatransferTransfer data of users who will be deleted to existing users
    https://www.googleapis.com/auth/admin.directory.domain.readonlyGet domain information for object details or filters
    https://www.googleapis.com/auth/admin.directory.groupGet and update user-group membership
    https://www.googleapis.com/auth/admin.directory.group.readonlyScan all groups for user-group membership
    https://www.googleapis.com/auth/admin.directory.orgunit.readonlyGet organization unit for object details and filters
    https://www.googleapis.com/auth/admin.directory.rolemanagementShow user role assignments in user details
    https://www.googleapis.com/auth/admin.directory.userGet, create, and update users
    https://www.googleapis.com/auth/admin.directory.user.readonlyScan all users into the product
    https://www.googleapis.com/auth/admin.directory.userschemaShow and edit customer schema in user details
    https://www.googleapis.com/auth/admin.reports.audit.readonlyGet audits for Google objects
    https://www.googleapis.com/auth/admin.reports.usage.readonlyGet object usage status
    https://www.googleapis.com/auth/apps.licensingGet user license assignments and assign, edit, and remove licenses for users
    https://www.googleapis.com/auth/cloud-identity.groupsGet group details
    https://www.googleapis.com/auth/cloud-identity.orgunitsChange organization unit for shared drives
    https://www.googleapis.com/auth/driveGet, create, and edit shared drives
    https://www.googleapis.com/auth/drive.readonlyScan all shared drives into the product
    https://www.googleapis.com/auth/directory.readonlyRetrieve Google directory information.
    https://www.googleapis.com/auth/cloud-identity.groupsRetrieve and edit security settings of Google groups
    https://www.googleapis.com/auth/apps.groups.settingsRetrieve and edit access settings for Google groups

  3. Assign the Super Admin permission to the admin account used for custom app profile creation.

Permissions for Governance

To ensure the data retrieval and management in the Governance module, complete the following configurations:

  1. Enable the following APIs in the projects where the Google service accounts are created:

    • Admin SDK API

    • Enterprise License Manager API

    • Google Drive API

  2. Configure the following scopes in the OAuth scopes field:

ScopePurpose
https://www.googleapis.com/auth/admin.datatransferTransfer data in user lifecycle management
https://www.googleapis.com/auth/admin.directory.domain.readonlyRetrieve domain for service creation
https://www.googleapis.com/auth/admin.directory.groupAdd user to group in user provisioning
https://www.googleapis.com/auth/admin.directory.group.readonlyRetrieve groups from the source
https://www.googleapis.com/auth/admin.directory.orgunit.readonlyRetrieve domain for service creation
https://www.googleapis.com/auth/admin.directory.userCreate user in user provisioning
https://www.googleapis.com/auth/admin.directory.user.readonlyRetrieve users from source
https://www.googleapis.com/auth/apps.licensingAssign licenses in user provisioning
https://www.googleapis.com/auth/drive.readonlyGet assignees for approval process
  1. Assign the Super Admin permission to the admin account used for custom app profile creation.

Permissions for Risk Intelligence

To ensure the data retrieval and management in the Risk Intelligence module, complete the following configurations:

  1. Enable the following APIs in the projects where the Google service accounts are created:

    • Admin SDK API

    • Cloud Asset API

    • Cloud Identity API

    • Cloud Resource Manager API

    • Drive Labels API

    • Google Drive API

    • Identity and Access Management (IAM) API

  2. Configure the following scopes in the OAuth scopes field:

ScopePurpose
https://www.googleapis.com/auth/admin.directory.domain.readonlyRetrieve domains in your domain.
https://www.googleapis.com/auth/drive.admin.labels.readonlyRetrieve all information of labels on files in drives for sensitive definition.
https://www.googleapis.com/auth/admin.directory.group.readonlyRetrieve groups in your domain.
https://www.googleapis.com/auth/admin.directory.orgunit.readonlyGet and compare organization conditions in Google search profile.
https://www.googleapis.com/auth/admin.directory.user.readonlyRetrieve users in your domain.
https://www.googleapis.com/auth/admin.reports.audit.readonlyRetrieve DLP (Data Loss Prevention) activities in your domain.
https://www.googleapis.com/auth/admin.reports.usage.readonlyRetrieve activities in your domain.
https://www.googleapis.com/auth/cloud-identity.userinvitations.readonlyRetrieve unmanaged user information.
https://www.googleapis.com/auth/driveDiscovery folders and files under My Drive and Shared Drives for reports.
https://www.googleapis.com/auth/ediscoveryRetrieve prompts from Gemini application.

  1. Assign the Super Admin permission or the following permissions to the admin account used for custom app profile creation:

    • Admin API privileges

      • User > Read

      • Domain Management

    • Admin console privileges:

      • Drive and Docs > Settings

      • Reports

      • Data Classification > Manage Labels

  2. Grant the following permissions to the Google service account:

    • resourcemanager.organizations.get

    • resourcemanager.organizations.getIamPolicy

    • resourcemanager.folders.get

    • resourcemanager.folders.getIamPolicy

    • resourcemanager.folders.list

    • resourcemanager.projects.get

    • resourcemanager.projects.getIamPolicy

    • resourcemanager.projects.list

    • cloudasset.assets.listResource

    • cloudasset.assets.searchAllIamPolicies

    • serviceusage.services.use

    • resourcemanager.organizations.setIamPolicy

    • resourcemanager.folders.setIamPolicy

    • resourcemanager.projects.setIamPolicy

Permissions for Policy Enforcement

To ensure the data retrieval and management in the Policy Enforcement module, complete the following configurations:

  1. Enable the following APIs in the projects where the Google service accounts are created:

    • Admin SDK API

    • Google Drive API

    • Drive Labels API

    • Cloud Identity API

    • Gmail API

    • Google Setting API

  2. Configure the following scopes in the OAuth scopes field:

Scope
Purpose
Which rule needs this
https://www.googleapis.com/auth/admin.directory.domain.readonly
Retrieve object domains
All rules
https://www.googleapis.com/auth/admin.directory.user
Update user properties
Inactive user account restriction
https://www.googleapis.com/auth/admin.directory.user.readonly
Retrieve users
2-step verification enforcement
Admin role assignment restriction
Drive user / group permission anomaly detection
Inactive user account restriction
Manager / Content manager restriction
Member invitation restriction
Membership restriction
Orphaned users drive permission restriction
Shared drive creation restriction
Shared permission expiration enforcement
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
Retrieve organization units
Admin role assignment restriction
Drive user / group permission anomaly detection
Inactive user account restriction
Manager / Content manager restriction
Member invitation restriction
Membership restriction
Orphaned users drive permission restriction
Shared drive creation restriction
Shared permission expiration enforcement
https://www.googleapis.com/auth/admin.directory.group.readonly
Retrieve groups
Drive user / group permission anomaly detection
Drive user permission replacement
External group member detection
Group external access settings restriction
Manager / Content manager restriction
Member invitation restriction
Membership restriction
Orphaned users drive permission restriction
Permission restriction for groups with external users
Sharing link restriction
https://www.googleapis.com/auth/admin.reports.audit.readonly
Retrieve drive activities
Manager count restriction
Manager enforcement
Member invitation restriction
https://www.googleapis.com/auth/admin.directory.rolemanagement
Retrieve role assignments
Admin role assignment restriction
https://www.googleapis.com/auth/apps.groups.settings
Retrieve and update group settings
Group external access settings restriction
https://www.googleapis.com/auth/drive
Retrieve, update, and delete drives
Drive user / group permission anomaly detection
Drive user permission replacement
Edit permission restriction for sharing links
External user restriction
External sharing expiration enforcement
External user manager/content manager permission restriction
File permission inheritance protection
Member invitation restriction
Orphaned users drive permission restriction
Shadow user restriction
Shared drive access permission settings restriction
Sharing link restriction
https://mail.google.com/
Retrieve mailbox forwarding settings
External email forwarding settings restriction
https://www.googleapis.com/auth/drive.readonly
Retrieve drive permissions
Manager count restriction
Manager enforcement

  1. Assign the Super Admin permission or the following permissions to the admin account used for custom app profile creation:

    • Admin API privileges

      • User > Read

      • Domain Management

    • Admin console privileges:

      • Drive and Docs > Settings

      • Reports

      • Data Classification > Manage Labels

Permissions for Information Management

To ensure the data retrieval and management in the Information management module, complete the following configurations:

  1. Enable the following APIs in the projects where the Google service accounts are created:

    • Admin SDK API

    • Drive Labels API

    • Google Drive API

  2. Configure the following scopes in the OAuth scopes field:

ScopePurpose
https://www.googleapis.com/auth/admin.directory.domain.readonlyRetrieve domains related to your customers.
https://www.googleapis.com/auth/admin.directory.group.readonlyRetrieve groups in your domain.
https://www.googleapis.com/auth/admin.directory.user.readonlyRetrieve users in your domain.
https://www.googleapis.com/auth/admin.reports.audit.readonlyRetrieve drive activities report.
https://www.googleapis.com/auth/admin.reports.usage.readonlyRetrieve the size and activity usage of all My Drive and Shared Drives.
https://www.googleapis.com/auth/driveCreate, update, and delete folders and files under My Drive and Shared Drives.
https://www.googleapis.com/auth/drive.admin.labelsCreate, update, and delete Google Drive labels in your organization.
https://www.googleapis.com/auth/drive.labelsRetrieve all information of labels on files.
https://www.googleapis.com/auth/drive.readonlyRetrieve all information of files under My Drive and Shared Drives.

  1. Assign the following permissions to the admin account used for custom app profile creation:

    • Admin API privileges

      • User > Read

      • Group > Read

      • Domain Management

      • Reports

    • Admin console privileges:

      • Drive and Docs > Settings

      • Data Classification > Manage Labels