Integration · google_workspace

Google Workspace

Pulls Admin SDK directory data and Reports API audit events from Google Workspace, deriving KRIs for 2SV enrollment, super-admin sprawl, OAuth-app scope risk, and Drive external-share anomalies.

sourceType: google_workspace vendorId: google-workspace auth: oauth2 (service account) schedule: daily

At a glance

VendorGoogle Workspace
Source typegoogle_workspace
Vendor ID (slug)google-workspace
Base URLhttps://admin.googleapis.com, fixed for every Workspace tenant
Auth methodoauth2, Authorization: Bearer <access_token> minted per run from a domain-wide-delegated service account JWT
Schedule defaultdaily
AvailabilityStable, presentation refreshed 2026-04-18.

Required scopes & roles

Draxis authenticates as a GCP service account with domain-wide delegation, impersonating a read-only Workspace admin. The service account needs exactly these three read-only OAuth scopes, nothing more:

  • https://www.googleapis.com/auth/admin.directory.user.readonly, list users, 2SV enrollment state, admin flags, suspended/archived state. Backs the /admin/directory/v1/users call.
  • https://www.googleapis.com/auth/admin.reports.audit.readonly, read Admin, Token, and Drive audit logs. Backs the /admin/reports/v1/activity/users/all/applications/{admin,token,drive} calls.
  • https://www.googleapis.com/auth/admin.reports.usage.readonly, reserved for future usage-based KRIs; included now so you don’t need a second consent pass later.

On the Workspace side, the impersonated subject must be a user with a role that can read those APIs. The Google-provided “Services admin” predefined role works; for tighter least-privilege, create a custom admin role that grants only Admin API Privileges → Users → Read and Reports.

Do not grant the service account the Super Admin role, none of these scopes require it, and it would also grant write access.

Setup steps

  1. Create a GCP project and service account. In the Google Cloud Console, pick (or create) a project dedicated to third-party integrations, then go to IAM & Admin → Service Accounts → Create Service Account. Name it draxis-workspace-reader. Skip the “Grant this service account access to project” step, it needs zero GCP IAM roles.
  2. Enable the Admin SDK API on the project. APIs & Services → Library → Admin SDK API → Enable.
  3. Generate a JSON key. On the service account’s Keys tab, Add Key → Create new key → JSON. Save the file, you’ll paste the entire contents into Draxis in the final step. Treat it like a password.
  4. Enable domain-wide delegation. On the service account’s Details page, copy its Unique ID (OAuth 2.0 Client ID), a numeric string. You’ll paste it in the next step.
  5. Authorize the scopes in the Workspace Admin Console. Go to admin.google.comSecurity → Access and data control → API controls → Manage Domain Wide Delegation → Add new. Paste the numeric Client ID from step 4, then paste these three scopes (comma-separated): 
    https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly
    Click Authorize.
  6. Pick (or create) a read-only admin user to impersonate. In the Admin Console, Directory → Users → Add new user, e.g. draxis-reader@your-domain.com. Assign it the Services admin role (or the custom read-only role described above). This is the email you’ll put in the Draxis Client ID field, Draxis impersonates this user when calling Google.
  7. Verify the customer ID (optional). Most tenants can leave customer_id as my_customer. If you’re a Workspace reseller or manage multiple customers, find the real customer ID under Account → Account settings and put it in the Draxis Extra Config JSON as {"customer_id":"C01xxxxxx"}.

Wire it into Draxis

  1. Open Settings → Integrations in your tenant.
  2. Click Add integration and pick Google Workspace as the source type.
  3. The vendor dropdown auto-selects Google Workspace (Admin SDK + Reports), and Draxis auto-fills the base URL, the OAuth auth method, the daily schedule, and seeds extra_config_json with {"customer_id":"my_customer"}.
  4. In Client ID, paste the admin email from step 6 above (e.g. draxis-reader@your-domain.com). This is the user Draxis impersonates, not the service-account numeric ID.
  5. In Client Secret, paste the entire contents of the JSON key file from step 3, every character including the enclosing { … }. Draxis encrypts it server-side with encryption.key before storage.
  6. Click Test. Green means Draxis minted a JWT, exchanged it for an access token, and hit the Directory API successfully.
  7. Under KRIs to import, tick the KRIs you want Draxis to manage. All seven gws_* KRIs are checked by default; uncheck any you don’t need. Selected rows are created on save with the seeded thresholds (tunable later in the KRIs tab). Unchecking a previously-imported KRI deletes it on save.
  8. Save. The connector runs daily by default; use Run now from run history to trigger the first sync immediately.

KRIs produced

SlugMeaningDerivation
gws_2sv_enrollment_pct % of active users enrolled in 2-Step Verification round(count(active[].isEnrolledIn2Sv) / count(active), 1) where active = users[!suspended && !archived]
gws_super_admin_count Count of users flagged isAdmin=true in the Directory API count(users[].isAdmin == true)
gws_ext_shared_sensitive_files Drive ACL changes that set visibility to an external audience, last 7 days count(drive_events where name in (change_user_access, change_acl_editors, change_document_visibility) and visibility in (people_with_link, public_on_the_web, public_in_the_domain_with_link, shared_externally))
gws_oauth_high_risk_apps Distinct OAuth client_ids authorized with high-risk scopes in the last 7 days distinct(token_events[authorize].client_id where any(scope matches mail.google.com | gmail.send|modify|insert | drive | admin.directory | admin.reports | cloud-platform | cloud_search))
gws_suspended_active_ratio_pct Suspended users as a % of active users round(count(suspended) / count(active) * 100, 1)
gws_admin_audit_anomalies_7d Count of privileged admin events in the last 7 days count(admin_events where name or type in (ASSIGN_ROLE, UNASSIGN_ROLE, CREATE_ROLE, DELETE_ROLE, UPDATE_ROLE, DELEGATED_ADMIN_SETTINGS, GRANT_ADMIN_PRIVILEGE, REVOKE_ADMIN_PRIVILEGE, TOGGLE_2SV_ENFORCEMENT, CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS, SSO_PROFILE_CREATED, SSO_PROFILE_DELETED))
gws_dlp_violations_7d Count of Drive DLP rule-violation events in the last 7 days count(drive_events where name startsWith 'dlp_' or type contains 'dlp')

Each row is a slug the connector writes to. Draxis creates the matching kri rows automatically when you check them in the KRIs to import section of the integration form, no manual API call or seed script needed. Thresholds shown in the table are the seeded defaults; you can edit them freely in the KRIs tab afterwards.

Vendor quirks

  • Domain-wide delegation is mandatory. Without it the JWT-bearer token exchange returns unauthorized_client. The scope list in Workspace must match exactly, a typo in one scope silently blocks access to that API.
  • Service-account impersonation is how Google Workspace does least-privilege. The service account itself has no powers; the impersonated subject’s Workspace role is what actually gates access. Keep that subject on a read-only custom role if you want the strictest least-privilege posture.
  • Reports API has a ~20-minute lag. Events appearing in the Admin Console may take up to ~20 minutes to surface through /admin/reports/v1/activity. Draxis’s 7-day window always trails real time, so this is invisible in practice.
  • customer_id=my_customer works for almost everyone. Only resellers or multi-customer setups need the real numeric customer ID. If Test returns HTTP 400 with “Invalid Input: customer”, replace it with your real ID from the Admin Console’s account settings.
  • Pagination is capped at 200 pages per endpoint. At 500 users/page that’s 100k users; at default Reports page sizes it’s well past any 7-day window we’ve seen. Very large tenants that hit the cap should open a support request, we’ll tune the window or paginate in chunks.
  • Service-account JSON keys are credentials. If a key is ever exposed, revoke it in the GCP console (Keys → Delete) and generate a new one, the old key stops working immediately, so do this only after you’re ready to update Draxis.

Troubleshooting

  • HTTP 401 unauthorized_client at the token exchange, domain-wide delegation isn’t set up, or the scope list in the Workspace Admin Console doesn’t match the three scopes above. Re-check the numeric Client ID and the exact scope strings.
  • HTTP 403 on Directory or Reports calls, the impersonated user’s Workspace role is too narrow. Grant them Services admin (or add Users → Read and Reports privileges to your custom role).
  • HTTP 400 “Invalid Input: customer”, you’re a reseller or multi-customer tenant and my_customer doesn’t resolve. Replace the customer_id in Extra Config with the real customer ID.
  • “Client Secret is not valid JSON” on Test, you pasted something other than the full service-account key file. Paste the entire JSON including the outer braces.
  • rowsSkipped > 0 and rowsWritten = 0, your tenant hasn’t imported any KRIs for this integration yet. Open the integration in Settings → Integrations, tick the KRIs under KRIs to import, and save.
  • Still stuck? Open a support ticket with the run ID (from Run history) and we’ll dig in.