Create App Profiles

To create a custom Google app to connect Confidence Platform for Google to your Google tenant, you can refer to the following sections for the required permissions and configurations for your custom app.

For details on how to create a Google app, refer to the section in the AvePoint Online Services user guide. When the app is in place, refer to the and sections to configure an app profile for the custom Google app.

For details custom Google app permissions required by each module on this platform, refer to the following sections.

Permissions for Administration

To ensure the data retrieval and management in the Administration module, complete the following configurations:

Enable the following APIs in the projects where the Google service accounts are created:
- Admin SDK API
- Cloud Identity API
- Enterprise License Manager API
- Google Drive API
Configure the following scopes in the OAuth scopes field:

Scope	Purpose
https://www.googleapis.com/auth/admin.datatransfer	Transfer data of users who will be deleted to existing users
https://www.googleapis.com/auth/admin.directory.domain.readonly	Get domain information for object details or filters
https://www.googleapis.com/auth/admin.directory.group	Get and update user-group membership
https://www.googleapis.com/auth/admin.directory.group.readonly	Scan all groups for user-group membership
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Get organization unit for object details and filters
https://www.googleapis.com/auth/admin.directory.rolemanagement	Show user role assignments in user details
https://www.googleapis.com/auth/admin.directory.user	Get, create, and update users
https://www.googleapis.com/auth/admin.directory.user.readonly	Scan all users into the product
https://www.googleapis.com/auth/admin.directory.userschema	Show and edit customer schema in user details
https://www.googleapis.com/auth/admin.reports.audit.readonly	Get audits for Google objects
https://www.googleapis.com/auth/admin.reports.usage.readonly	Get object usage status
https://www.googleapis.com/auth/apps.licensing	Get user license assignments and assign, edit, and remove licenses for users
https://www.googleapis.com/auth/cloud-identity.groups	Get group details
https://www.googleapis.com/auth/cloud-identity.orgunits	Change organization unit for shared drives
https://www.googleapis.com/auth/drive	Get, create, and edit shared drives
https://www.googleapis.com/auth/drive.readonly	Scan all shared drives into the product

Assign the Super Admin permission to the admin account used for custom app profile creation.

Permissions for Governance

To ensure the data retrieval and management in the Governance module, complete the following configurations:

Enable the following APIs in the projects where the Google service accounts are created:
- Admin SDK API
- Enterprise License Manager API
- Google Drive API
Configure the following scopes in the OAuth scopes field:

Scope	Purpose
https://www.googleapis.com/auth/admin.datatransfer	Transfer data in user lifecycle management
https://www.googleapis.com/auth/admin.directory.domain.readonly	Retrieve domain for service creation
https://www.googleapis.com/auth/admin.directory.group	Add user to group in user provisioning
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups from the source
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve domain for service creation
https://www.googleapis.com/auth/admin.directory.user	Create user in user provisioning
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users from source
https://www.googleapis.com/auth/admin.directory.userschema	Create user in user provisioning
https://www.googleapis.com/auth/apps.licensing	Assign licenses in user provisioning

Assign the Super Admin permission to the admin account used for custom app profile creation.

Permissions for Risk Intelligence

To ensure the data retrieval and management in the Risk Intelligence module, complete the following configurations:

Enable the following APIs in the projects where the Google service accounts are created:
- Admin SDK API
- Cloud Asset API
- Cloud Identity API
- Cloud Resource Manager API
- Drive Labels API
- Google Drive API
- Identity and Access Management (IAM) API
Configure the following scopes in the OAuth scopes field:

Scope	Purpose
https://www.googleapis.com/auth/admin.directory.domain.readonly	Retrieve domains in your domain.
https://www.googleapis.com/auth/drive.admin.labels.readonly	Retrieve all information of labels on files in drives for sensitive definition.
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups in your domain.
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Get and compare organization conditions in Google search profile.
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users in your domain.
https://www.googleapis.com/auth/admin.reports.audit.readonly	Retrieve DLP (Data Loss Prevention) activities in your domain.
https://www.googleapis.com/auth/admin.reports.usage.readonly	Retrieve activities in your domain.
https://www.googleapis.com/auth/cloud-identity.userinvitations.readonly	Retrieve unmanaged user information.
https://www.googleapis.com/auth/drive	Discovery folders and files under My Drive and Shared Drives for reports.

Assign the Super Admin permission or the following permissions to the admin account used for custom app profile creation:
- Admin API privileges
  - User > Read
  - Domain Management
- Admin console privileges:
  - Drive and Docs > Settings
  - Reports
  - Data Classification > Manage Labels
Grant the following permissions to the Google service account:
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- cloudasset.assets.listResource
- cloudasset.assets.searchAllIamPolicies
- serviceusage.services.use
- resourcemanager.organizations.setIamPolicy
- resourcemanager.folders.setIamPolicy
- resourcemanager.projects.setIamPolicy

Permissions for Policy Enforcement

To ensure the data retrieval and management in the Policy Enforcement module, complete the following configurations:

Enable the following APIs in the projects where the Google service accounts are created:
- Admin SDK API
- Google Drive API
- Drive Labels API
- Cloud Identity API
- Gmail API
- Google Setting API
Configure the following scopes in the OAuth scopes field:

Scope	Purpose	Which rule needs this
https://www.googleapis.com/auth/admin.directory.domain.readonly	Retrieve object domains	All rules
https://www.googleapis.com/auth/admin.directory.user	Update user properties	Inactive user account detection
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users	Admin role assignment restriction
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users	Drive user / group restriction
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users	Inactive user account detection
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users	Manager / Content manager restriction
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users	Member invitation restriction
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users	Membership restriction
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users	Orphaned users drive permission detection
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users	Shared drive creation restriction
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users	Shared permission expiration enforcement
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve organization units	Admin role assignment restriction
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve organization units	Drive user / group restriction
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve organization units	Inactive user account detection
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve organization units	Manager / Content manager restriction
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve organization units	Member invitation restriction
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve organization units	Membership restriction
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve organization units	Shared drive creation restriction
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve organization units	Shared permission expiration enforcement
https://www.googleapis.com/auth/admin.directory.orgunit.readonly	Retrieve organization units	Orphaned users drive permission detection
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	Drive user / group restriction
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	External access to groups restriction
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	External group member detection
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	Group with external users detection
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	Manager / Content manager restriction
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	Member invitation restriction (within 30 days)
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	Membership restriction
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	Orphaned users drive permission detection
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	Sharing link restriction
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups	User permission replacement
https://www.googleapis.com/auth/admin.reports.audit.readonly	Retrieve drive activities	Manager count restriction
https://www.googleapis.com/auth/admin.reports.audit.readonly	Retrieve drive activities	Manager enforcement
https://www.googleapis.com/auth/admin.reports.audit.readonly	Retrieve drive activities	Member invitation restriction
https://www.googleapis.com/auth/admin.directory.rolemanagement	Retrieve role assignments	Admin role assignment restriction
https://www.googleapis.com/auth/apps.groups.settings	Retrieve and update group settings	External access to groups restriction
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	Drive user / group restriction
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	Edit permission restriction for sharing links
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	External sharing expiration enforcement
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	External user manager / content manager permission restriction
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	External user monitor
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	File permission inheritance protection
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	Member invitation restriction
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	Orphaned users drive permission detection
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	Shadow user detection
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	Shared drive settings restriction
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	Sharing link restriction
https://www.googleapis.com/auth/drive	Retrieve, update, and delete drives	User permission replacement
https://mail.google.com/	Retrieve mailbox forwarding settings	External email forwarding restriction
https://www.googleapis.com/auth/drive.readonly	Retrieve drive permissions	Manager count restriction
https://www.googleapis.com/auth/drive.readonly	Retrieve drive permissions	Manager enforcement

Assign the Super Admin permission or the following permissions to the admin account used for custom app profile creation:
- Admin API privileges
  - User > Read
  - Domain Management
- Admin console privileges:
  - Drive and Docs > Settings
  - Reports
  - Data Classification > Manage Labels

Permissions for Information Management

To ensure the data retrieval and management in the Information management module, complete the following configurations:

Enable the following APIs in the projects where the Google service accounts are created:
- Admin SDK API
- Drive Labels API
- Google Drive API
Configure the following scopes in the OAuth scopes field:

Scope	Purpose
https://www.googleapis.com/auth/admin.directory.domain.readonly	Retrieve domains related to your customers.
https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups in your domain.
https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users in your domain.
https://www.googleapis.com/auth/admin.reports.audit.readonly	Retrieve drive activities report.
https://www.googleapis.com/auth/admin.reports.usage.readonly	Retrieve the size and activity usage of all My Drive and Shared Drives.
https://www.googleapis.com/auth/drive	Create, update, and delete folders and files under My Drive and Shared Drives.
https://www.googleapis.com/auth/drive.admin.labels	Create, update, and delete Google Drive labels in your organization.
https://www.googleapis.com/auth/drive.labels	Retrieve all information of labels on files.
https://www.googleapis.com/auth/drive.readonly	Retrieve all information of files under My Drive and Shared Drives.

Assign the following permissions to the admin account used for custom app profile creation:
- Admin API privileges
  - User > Read
  - Group > Read
  - Domain Management
  - Reports
- Admin console privileges:
  - Drive and Docs > Settings
  - Data Classification > Manage Labels

On this page

#Create App Profiles

#Permissions for Administration

#Permissions for Governance

#Permissions for Risk Intelligence

#Permissions for Policy Enforcement