Adding Data Stores
Local Data Stores
Local Data Stores, i.e. local storage and local memory are standard scan locations. To add a local data store use the Add Data Store wizard to add a local data store.
1. Select Store Type
In the Select Store Type screen of the wizard select Local Storage in the * Select Data Store Category.
From the Select Local Storage Type drop-down list, select Local Storage.
Select Type shows types of data storage. By default, the drop-down list shows all types of data stores. When a category is selected under Select Data Store Category, the label Select Type is changed to reflect the selection. For example, for Local Storage, the label becomes Select Local Storage Type.
Click Next to go on to the Configure Connection screen.
2. Configure Connection
The Configure Connection screen is displayed.
Specify Hostname/IP of the machine where the local data store resides. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Note
Local data stores need a DDC Agent installed on the same host.
Click Next to go to the General Info screen.
3. General Info
Configure the General Info part per the information in General Info.
Click Next to go to the Add Tags & Access Control screen.
4. Add Tags & Access Control
Configure the Tags & Access Control par per the information in Tags & Access Control.
Click Save. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Network Data Stores
DDC supports two types of Network Storage types as data stores: Linux Network File Share (NFS) and Windows share (SMB/CIFS).
Note
SMB/CIFS is supported for Windows only. Currently, the SMB implementation on Linux (Samba) is not supported. Also, we cannot guarantee that NFS type data stores on MAC will work properly.
To create a Windows Network Storage data store:
Use a Windows Proxy Agent.
Ensure that the target storage is accessible from the Proxy agent host.
To create a Linux Network Storage data store:
Use a Linux Proxy Agent.
The target storage path must be mounted on the Proxy agent host.
Note
For both types of these data stores, the credentials to access the target storage must have the minimum permissions required to scan it. Bear in mind that data discovery or scanning of data requires read access.
1. Select Store Type
In the Select Store Type screen of the wizard select Network Storage in the Select Data Store Category.
From the Select Network Storage Type drop-down list select:
SMB/CIFS Share - for a Linux Data Store.
NFS Share - for a Windows Data Store.
Click Next to go on to the Configure Connection screen.
2. Configure Connection
In the Configure Connection screen of the wizard, provide the following configuration details for your data store:
Linux Data Store
Hostname/IP - a valid hostname, IP address, or URI of the data store.
Share Path - a valid NFS path, it must begin with a slash (“/”). The path must be set to the mount path on the Proxy host.
Agent Hostname/IP - a valid hostname, IP address, or URI of the host where the DDC agent resides.
Mount Point (On Proxy Agent) - the mount path on the Proxy host (for the Share Path above). See also "Mounting an NFS Share".
Click Next to go to the General Info screen.
Windows Data Store
Hostname/IP - a valid hostname, IP address, or URI of the data store.
Share Name - a valid Windows share name. These characters are not allowed in the Share Name:
=
*
?
,
<
>
|
;
:
+
[
]
"
/
\
Caution
Do not confuse the Share Name with the Network Path. In Windows, the Share Name is typically set in the Advanced Sharing settings in the folder sharing properties.
Credentials - provide a valid username and password. Use the appropriate user name format for the target Windows hosts credentials:
<domain\username>
- target host resides in the same Active Directory domain as the Windows proxy agent.<target_hostname\username>
- target host does not reside in the same Active Directory domain as the Windows proxy agent.
Tip
DNS / DNS reverse resolution may increase the time to scan. Make sure that you optimize your DNS resolution or modify the agent's hosts file to skip the external DNS resolution as indicated in this technical note.
Click Next to go to the General Info screen.
3. General Info
Configure the General Info part per the information in General Info.
Click Next to go to the Add Tags & Access Control screen.
4. Add Tags & Access Control
Configure the Tags & Access Control par per the information in Tags & Access Control.
Click Save. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Database Data Stores
The tables in the PosgresQL database must have a Primary Key (PK), otherwise the scan results may be incomplete.
PostgreSQL by default blocks remote connections to the PostgreSQL server, so you have to configure it to allow remote connections. For instructions, see Allowing Remote Connections to PostgreSQL Server.
To connect to Microsoft SQL DDC requires the ODBC drivers to be installed in the same environment as the DDC agent. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 (or newer) for MSSQL Server.
Before adding an Oracle database, make sure that you have the schema name or the database and service name to hand. For information on how to get this information, see Obtaining the Oracle Configuration Details.
Use the Add Data Store wizard to add a database type data store. Adding a database data store involves the steps described in the following sections.
1. Select Store Type
In the Select Store Type screen of the wizard select Database in the Select Data Store Category.
From the Select Database Type drop-down list select:
IBM DB2: Select to add an IBM DB2 database.
Oracle: Select to add an Oracle database
Microsoft SQL: Select to add a Microsoft SQL database.
PostgreSQL: Select to add a PostgreSQL database.
SAP HANA: Select to add a SAP HANA database.
MySQL: Select to add a MySQL database.
MongoDB: Select to add a Mongo DB database.
Click Next to go on to the Configure Connection screen.
2. Configure Connection
In the Configure Connection screen of the wizard, provide the following configuration details for your data store:
IBM DB2
Note
DB2: Windows Agent built-in drivers are required to connect to a DB2 data store.
Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Specify Port of the database server. The port must be a number between
1
and65535
. The default port for IBM DB2 is50000
.In the Database field, specify the name of the database service.
In the Authentication part, specify valid user credentials, User and Password.
Oracle
Note
Windows and Linux Agent built-in drivers are required to connect to an Oracle data store.
Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Specify Port of the database server. The port must be a number between
1
and65535
. The default port for Oracle is1521
.In the Database field, specify the name of the database service.
Use a schema name
SCHEMA
or a database name and service nameDB(SERVICE_NAME=XXX)
. For example:
* Schema name:HR
* Database name and service name:MYDB(SERVICE_NAME=XE)
If you are using Oracle 12x, or if the Oracle database displays aTNS: protocol adapter error
, you must specify a database and service name in the Database field. For example:HR(SERVICE_NAME=XE)
Note
Due to a known limitation, when creating an Oracle DB data store the agents cannot be assigned if the Schema (which is defined in the Database field) does not contain any tables.
In the Authentication part, specify valid user credentials, User and Password.
Microsoft SQL
Note
Windows host ODBC drivers are sufficient to connect to a MS SQL data store. ODBC Drivers version 17 are required to support TLS 1.2 connections.
Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Specify Port of the database server. The port must be a number between
1
and65535
. The default port for Microsoft SQL is1433
.In the Database field, specify the name of the database service.
In the Authentication part, specify valid user credentials, User and Password.
PostgreSQL
Note
Windows and Linux agent built-in drivers are required to connect to a PostgreSQL data store. The built-in driver does not support password authentication with 'scram-sha-256' method.
Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Specify Port of the database server. The port must be a number between
1
and65535
. The default port for PostgreSQL MongoDB is5432
.In the Database field, specify the name of the database service.
In the Authentication part, specify valid user credentials, User and Password.
SAP HANA
Note
Windows Agent built-in drivers are required to connect to a SAP Hana data store. If the Agent host has SAP HANA ODBC drivers installed, the Agent will use those drivers instead of its built-in drivers.
Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Specify Port of the database server. The port must be a number between
1
and65535
. The default port for SAP HANA is30015
.In the Database field, specify the name of the database service.
In the Authentication part, specify valid user credentials, User and Password.
MySQL
Note
Windows and Linux Agent built-in drivers are required to connect to a MySQL data store. The built-in driver does not support password authentication with 'caching_sha2_password' method.
Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Specify Port of the database server. The port must be a number between
1
and65535
. The default port for MySQL is3306
.In the Authentication part, specify valid user credentials, User and Password.
MongoDB
Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Specify Port of the database server. The port must be a number between
1
and65535
. The default port for MongoDB is27017
.In the Authentication Database field, specify the name of the database service.
User and Password - specify the Username, password and authentication database in the following manner:
- Username: <authentication_database>/<user_name>
Example: pgdb1/user1 - Password: <password>
Example: myPassword123
- Username: <authentication_database>/<user_name>
Click Next to go to the General Info screen.
3. General Info
Configure the General Info part per the information in General Info.
Click Next to go to the Add Tags & Access Control screen.
4. Add Tags & Access Control
Configure the Tags & Access Control par per the information in Tags & Access Control.
Click Save. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Allowing Remote Connections to PostgreSQL Server
PostgreSQL by default blocks all connections that are not from the PostgreSQL database server itself. This means that to scan a PostgreSQL database, the Agent must either be installed on the PostgreSQL database server itself (not recommended), or the PostgreSQL server must be configured to allow remote connections.
To configure a PostgreSQL server to allow remote connections:
On the PostgreSQL database server, locate the
pg_hba.conf
configuration file. On a Unix-based server, the file is usually found in the/var/lib/postgresql/data
directory.Open
pg_hba.conf
in a text editor, as root.Add the following to the end of the file:
# Syntax: # host <database_name> <postgresql_user_name> <agent_host_address> <auth-method> host all all all md5
The above configuration allows any remote client to connect to the PostgreSQL server if a correct user name and password is provided. For a more secure configuration, use configuration statements that are specific to a database, user or IP address. For example:
Note
host database_A scan_user 172.17.0.0/24 md5
Open the
postgresql.conf
file and modify the Connections and Authentication section.You should change the
#listen_addresses = 'localhost'
line to this:listen_addresses = '*'
Tip
You can also use a specific IP address of the PostgreSQL server to listen on, instead of the global
*
.Save the file and restart the PostgreSQL service.
Obtaining the Oracle Configuration Details
To find the schema for the current user you can run this query:
SELECT SYS_CONTEXT('USERENV','CURRENT_SCHEMA') FROM DUAL;
To find the schema (or owner) for a particular table, you can run:
SELECT DISTINCT OWNER, OBJECT_NAME FROM DBA_OBJECTS WHERE OBJECT_TYPE = 'TABLE' AND OBJECT_NAME = '[your table]';
To find all tables for a particular schema (or owner), you can run:
SELECT DISTINCT OWNER, OBJECT_NAME FROM DBA_OBJECTS WHERE OBJECT_TYPE = 'TABLE' AND OWNER = '[your schema]';
To get the information about the service name contact your Oracle database administrator.
Big Data Stores
DDC supports two types of Big Data data stores:
- Hadoop Cluster
- Teradata (Teradata 14.10.00.02 and above)
Hadoop Cluster Considerations
Nodes where data blocks distributed by HDFS are stored are called DataNodes. DataNodes are treated as “slaves” in a Hadoop cluster.
A node that maintains the index of directories and files and manages data blocks stored on DataNodes is called a NameNode. A NameNode is treated as “master” in a Hadoop cluster.
Teradata Considerations
Teradata data stores require Teradata Tools and Utilities 16.10.xx to be installed on the Agent. These utilities are also mandatory:
- ODBC Driver for Teradata
- FastExport
You may have to restart the Agent after the installation.
A scan of a Teradata data store may create temporary tables named erecon_fexp_<YYYYMMDDHHMMSS><PID><RANDOM>. Do not remove these tables while the scan is in progress. They are automatically removed when a scan completes. If a scan fails or is interrupted by an error, the temporary tables may remain in the database. In this case, it is safe to delete the temporary tables.
Use the Add Data Store wizard to add a big data type data store. Adding a Big Data data store involves the following steps:
1. Select Store Type
In the Select Store Type screen of the wizard select Big Data in the Select Data Store Category.
From the Select Database Type drop-down list select Hadoop Cluster or Teradata.
Click Next to go on to the Configure Connection screen.
2. Configure Connection
Hadoop Cluster
Hostname/IP - Specify Hostname/IP of the Hadoop cluster's active NameNode. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Port - Default 8020. This is a mandatory field.
Click Next to go to the General Info screen.
Teradata
Hostname - Specify a valid Hostname of the Teradata server. The hostname must be longer than two characters. This is a mandatory field.
Port - Default 1025. This is a mandatory field.
User - The name of the Teradata user.
Due to known Teradata limitations DDC cannot use the following internal Teradata users to scan:
Warning
DBC, tdwm, LockLogShredder, External_AP, TDPUSER, SysAdmin, SystemFe, TDMaps, Crashdumps, Sys_Calendar, viewpoint, console.
Password - The password of the Teradata user.
Click Next to go to the General Info screen.
3. General Info
Configure the General Info part per the information in General Info.
Click Next to go to the Add Tags & Access Control screen.
4. Add Tags & Access Control
Configure the Tags & Access Control par per the information in Tags & Access Control.
Click Save. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Cloud Data Stores
DDC supports these types of Cloud storages as data stores:
AWS S3 - AWS (Amazon Web Services).
Azure Blobs - Microsoft Azure Blobs (used to store unstructured text and binary data).
Azure Table - lets programs store structured text in partitioned collections of entities that are accessed by partition key and primary key.
Office 365 Sharepoint Online - Sharepoint Online is a document management and storage system delivered as part of Microsoft Online Services suite.
Office 365 Exchange Online - Exchange Online is Exchange Server delivered as a cloud service hosted by Microsoft.
G-Suite (G-Mail and G-Drive)
Note
Before adding any Cloud data store, make sure that you have the required user credentials handy.
Use the Add Data Store wizard to add a big data type data store. Adding a Big Data data store involves the following steps:
1. Select Store Type
In the Select Store Type screen of the wizard select Cloud in the Select Data Store Category.
From the Select Database Type drop-down list select:
AWS S3
Azure Blobs
Azure Table
Office 365: Sharepoint Online
Office 365: Exchange Online
G-Suite
Click Next to go on to the Configure Connection screen.
2. Configure Connection
AWS S3 Data Store
Provide the user security credentials, which consist of an Access Key ID and a Secret Access Key.
Access Key ID: Enter the Access Key ID that you obtained from your storage account administrator. For example:
AKIAABCDEFGHIEXAMPLE
Secret Access Key: Enter the Secret Access Key as obtained from your storage account administrator. For example:
aBcDeFGHiJKLM/A1NOPQR/wxYzdcbAEXAMPLEKEYd
Select the Show Secret Access Key checkbox if you want to view the secret access key.
Click Next to move on to the General Info step of the wizard.
Azure Blobs Data Store
In the Configure Connection step, provide the following information:
Account Name: The name of your Azure Storage account.
User: The name of your Azure Storage account.
Active Access Key: Enter key1 or key2, which is your primary or secondary Azure account access key. If you do not know what they are, follow the steps in Obtaining the Azure Account Access Keys.
Tip
You should ask your Azure Storage account administrator which access key is currently active, since only one access key can be active at a time.
Click Next to move on to the General Info step of the wizard.
Azure Table Data Store
In the Configure Connection step, provide the following information:
Account Name: Enter your Azure account name.
User: Enter your Azure Storage account name.
Password: Your Azure password.
Click Next to move on to the General Info step of the wizard.
Office 365: Sharepoint Online Data Store
In the Configure Connection step, provide the following information:
Domain: Enter your SharePoint Online organization name. For example, if you access SharePoint Online at https://mycompany.sharepoint.com, enter mycompany.
User: Enter a valid SharePoint Online user's email address. The user must have Read permissions to the top-level root site collection, and minimum Read permissions to all site collections, sites and lists to be scanned.
Password: Enter the password for the SharePoint Online user.
Click Next to move on to the General Info step of the wizard.
Office 365: Exchange Online Data Store
In the Configure Connection step, provide the following information:
Exchange Online Domain: Enter a domain to scan mailboxes that reside on that domain. This is usually the domain component of the email address, or the Windows Domain.
Client ID: Enter your Exchange Online client ID (application ID).
Client Secret Key: Enter your Exchange Online client secret key. Select the Show Client Secret Key check-box to view the key.
Tenant ID: Enter your Office 365: Exchange Online tenant ID. Your Microsoft 365 tenant ID is a globally unique identifier (GUID) that is different than your organization name or domain.
Click Next to move on to the General Info step of the wizard.
G-Suite
In the Configure Connection step, provide the following information:
Domain: The G-Suite domain that you want to scan in the G Suite Domain field. For example, if your G-Suite administrator email is admin@example.com, your G-Suite domain is example.com.
Admin User: The G-Suite administrator account email address. Use the same administrator account used to Enable APIs and Set up Domain-Wide Delegation.
Service Account: Your Service account ID, for example, ddc-service-account@vertical-tuner-322508.iam.gserviceaccount.com.
IP12 Key: Upload the P12 key associated with your Service account ID.
For details, refer to the information in Configuring a G-Suite Account.
Click Next to move on to the General Info step of the wizard.
3. General Info
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
Configure the General Info part per the information in General Info.
Click Next to go to the Add Tags & Access Control screen.
4. Add Tags & Access Control
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Configure the Tags & Access Control par per the information in Tags & Access Control.
Click Save. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration.
The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Recommended Least Privilege User Approach: !!! note To reduce the risk of data loss or privileged account abuse, the Target credentials provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration.
The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
General Information
The General Info screen in the Add Data Store wizard allows you to specify the name, description, branch location, and sensitivity level of your data store. More details below:
Name - the name of your data store. The name must be longer than two characters and up to 64 characters.
Description - the description for the data store (up to 250 characters).
Branch Location - select a branch location from the drop-down list. If no branch location is available, you have to create it. See Managing Branch Locations for details.
Sensitivity Level - select a sensitivity level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is acceptable to find in this data store. For details, see Sensitivity Levels.
Enable Data Store - when selected it means that this data store is available for scans. The Enable Data Store check box is selected by default. If the check box is cleared, the data store is disabled (not available) for scans.
Note
The Enable Data Store check box is selected by default. This means that this data store is available for scans. If the check box is cleared, the data store is disabled (not available) for scans.
Tags and Access Control
The Add Tags & Access Control screen in the Add Data Store wizard allows you to grant access rights to your data store and add tags. More details below:
ACCESS - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are:
All groups: All groups of users can access the data store through reports. This is the default setting.
Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.
TAGS - select a tag from the Add Tag drop-down list. Please check the list of prebuilt tags in Predefined Tags.
Tip
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
Add as many tags as needed.
To remove a tag, click the close icon in the tag name.
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Obtaining the Azure Account Access Keys
If you need to find out what your Azure account access keys are:
Log into your Azure account.
Navigate to All resources > [Storage account].
Click Access keys under Settings.
Note down the key1 (primary) and key2 (secondary).
The primary and secondary access keys are used to make rolling key changes. Only one access key can be active at a time. Ask your Azure Storage account administrator which access key is currently active, and use that key to connect DDC to your Azure Storage account.
Configuring a G-Suite Account
Because the Google API imposes certain restrictions on software attempting to access data on their services setting up a G-Suite account as a data store requires more work than other cloud services. You perform the procedure via the Google Cloud Platform console.
Before you can add a G-Suite product as Data Store, you must have a G-Suite administrator account for the target G-Suite domain. It must be a G-Suite account for personal Google accounts are not supported.
To configure your G-Suite account for scanning you need to:
Selecting a Project
Log into the Google Developers Console.
Click the Select a project menu to expand it. The Select dialog box opens and displays a list of existing projects.
In the Select dialog box, you can:
Select an existing project.
Create a new project (recommended).
Select a project in the Google Developers Console to enable G Suite APIs.
To select an existing project:
Click a project.
Click OPEN.
To create a new project:
Click the NEW PROJECT button.
In the New Project page, enter your Project name and click CREATE.
After creating or selecting a project you are taken to its APIs & Services page. In it you can click the +ENABLE APIS AND SERVICES button (at the top of the screen).
Enabling APIs
To enable G-Suite APIs:
Select a Project.
In the project Dashboard, click +ENABLE APIS AND SERVICES. This displays the API Library.
Enable the Admin SDK API.
a. Under G-Suite APIs, click Admin SDK.
b. Click the ENABLE button when the Admin SDK API is displayed. The Admin SDK API statistics screen is displayed.
Repeat the above steps to enable also these APIs:
Gmail API (for Google Mail)
Google Drive API (for Google Drive)
Tip
If you are lost after the previous step, and are not sure where to enable these, click the toolbar icon on the top left side of the Dashboard (the three horizontal dashes), then Home, then Go to APIs overview in the APIs panel (the link at the bottom of it).
Creating a Service Account
To create a service account in the Google Developers Console for use with DDC scans:
Click the menu on the upper-left corner of the Google Developers Console (the three horizontal dashes on the top left side of the Dashboard).
Select IAM & Admin -> Service Accounts.
Click the +CREATE SERVICE ACCOUNT button.
In the Create service account dialog box, enter the following:
a. Service Account Details:
Service account name - Display name for this service account. For example, doc-service-account.
Service account ID - it will be autocompleted with your Service account name (above) and your earlier created postfix. You will need this Service account ID later for configuring DDC. In the Service account for project "such-and-such" you can now see your service account. An example service account ID: ddc-service-account@vertical-tuner-322508.iam.gserviceaccount.com.
Service account description (optional).
b. Click the CREATE AND CONTINUE button.
c. Grant this service account access to project:
- Select a role - click into the text boxt to open a search dialog (Type to filter 'owner', then select 'Owner' Full access to all resources).
d. Click the CONTINUE button.
e. Grant user access to this service account (optional). In this section just click DONE.
To complete the procedure, you need to add a private key. For that:
a. Click the three vertical dots in the Actions column in the Service account for project screen.
b. Then select Manage keys. You will be taken to the Keys screen.
c. Click the ADD KEY pull down menu, and then select the Create new key option.
d. In the Key type, select the P12 radiobutton.
e. Click CREATE. The Service account and key created dialog box displays, and you can save the P12 key to your computer. This key is normally not requiered but you should keep it in a safe location, just in case.
!!! tip The dialog box displays the private key’s password: notasecret - you can disregard this password.
f. Click CLOSE.
Write down the newly created service account’s Service account ID and Key ID.
Setting up Domain-Wide Delegation
To be able to access your G-Suite domain with the Service Account, you must set up and enable domain-wide delegation for it. To set up domain-wide delegation for an existing service account:
Click on the service account name that you created in Creating a Service Account step. To use the same example: ddc-service-account@vertical-tuner-322508.iam.gserviceaccount.com.
On the account DETAILS tab, click the SHOW DOMAIN WIDE DELEGATION link at the bottom to expand that section.
Select the Enable Google Workspace Domain-Wide Delegation checkbox. Additional configuration options will be displayed.
Click inside the Product name for the consent screen field and type in the product name. For example: "DDC-service-account".
Click SAVE and a message "Account 'such-and-such' has been updated" is displayed. Also a new field Client ID appears with a client identifier. Note down the client id as you will need it later.
Go to the G-Suite Admin Console. For that, you need to open a new tab or window in your browser.
a. Log in to your G-Suite Admin Console account. It has to be an administrator account.
b. In the navigation panel on the left, click Security -> API controls. Select Security to manage security features in the G Suite admin console.
c. In the API controls screen that is displayed, scroll down to the Domain wide delegation section (at the bottom of the page).
d. In the Domain wide delegation section, click the MANAGE DOMAIN WIDE DELEGATION link. This will take you to a screen displaying a list of all the service accounts that you already have created (the breadcrumb of this screen: Security -> API Controls -> Domain-wide Delegation).
e. Click the Add new link to create a new service account. A pop-up dialog Add a new client ID opens. You need to provide:
Client ID - This is the client ID that you were supposed to note down in the previous step (Step 5).
OAuth Scopes - type in or copy-paste these URIs (i.e. API Scopes). You can use one line and separating them with commas, or use separate fields for each scope:
- Required for all: https://www.googleapis.com/auth/admin.directory.user.readonly
- Google Mail: https://mail.google.com/
- Google Drive: https://www.googleapis.com/auth/drive.readonly
f. Click AUTHORIZE to complete the acccount configuration and a new service account with its scopes is displayed in the list (as "DDC-service-account" to use the same example as in Creating a Service Account).
Navigate back to the API controls screen (click Security -> API controls in the toolbar on the left).
In the App access control panel, click the MANAGE THIRD-PARTY APP ACCESS link to go to a list of Connected apps (breadcrumb: Security -> API controls -> App Access Control).
Click the Configure new app menu and select the option OAuth App Name Or Client ID.
In the Configure an OAuth app screen that opens, search for your client ID. This is the client ID that you were supposed to note down in Step 5. Type it in or paste in the search field and click SEARCH. The search should return your service account name, that is, to use the same example as before, "DDC-service-account".
Click this account in the App name panel and then click the Select button on the right. You will be taken to the app access configuration screen for your client ID.
In the access configuration screen for your client ID:
a. Click to select the checkbox for your client ID.
b. Click SELECT to continue.
c. In the App access screen, you must choose which access type will be applied to your client ID. Select the Trusted radiobutton.
d. Click CONFIGURE to continue.
Now, your service account has "Trusted" in the Access column, in the list of Connected apps and this is what we aimed for.