Google Workspace Setup

Updated
  • Updated on Jan 25, 2026
  • Published on Jan 2, 2025
  • 4 minute(s) read
  • nT
 Prev Next

Overview

A Google Workspace integration with Grip enables Grip to pull in email, sign-in, and additional data from a Google Workspace tenant. Once integrated, Grip will initiate a discovery process to ingest this data, providing insight into SaaS usage in your organization.

This guide walks you through the integration step by step.

This article also covers the necessary permissions and procedures for integrating Google Workspace with Grip's SSPM module.

Prerequisites

Administrator account for the Google Workspace tenant undergoing integration.

Setup process

Step 1 – Create a project

  1. Go to Google Cloud Console.

  2. On the top bar click the project selector.

  1. In the dialog box that pops up, click New Project.

  1. Complete the form as follows:

    • Project name: Grip Security Project

    • Organization: <An organization of your choice>

    • Location: <Location of your choice>

Note: You can leave the Organization and Location fields with their default values

  1. Click Create.

  2. Click the project selector again, and select the newly created Grip Security Project.

  1. After creating the project, go to the Dashboard view, and make sure that the newly created Grip Security Project is selected. Write down the Project ID value that appears in the top left widget.

Step 2 – Create a service account

  1. Go to Service Accounts.
    Ensure you are still on the Grip Security Project, using the project selector widget at the top of the screen.

  2. Click Create Service Account.

  1. Complete the form as follows:

    • Service account name: Grip Security Service Account

    • Service account ID: <Leave the default value as is>

    • Service account description: <Enter your own description, if necessary>

  2. Click CREATE AND CONTINUE, and then click DONE.

  1. Copy the Service account email and the OAuth 2 Client ID, as you will need them at a later stage.

  2. Click on the 3-dots icon under the  Actions  column of the new service account and click Manage keys.

  1. Click ADD KEY, and in the dropdown menu, select Upload existing key.

  1. Paste or upload the public key file provided by Grip and click UPLOAD.

  2. Write down the Key ID of the newly created key.

Step 3 – Delegate permissions

  1. Go to Google Workspace Admin’s Domain Wide Delegation Settings, and click Add New.

  2. Complete the form as follows:

    • Client ID: Paste the OAuth2 Client ID you wrote down earlier

    • Overwrite existing client ID: Leave unchecked

    • OAuth scopes: Paste the following comma delimited list:

For Google Workspace Discovery

https://www.googleapis.com/auth/cloud-platform.read-only,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly

For both Google Workspace Discovery and SSPM

https://www.googleapis.com/auth/cloud-platform.read-only,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/cloud-identity.policies.readonly

  1. Click Authorize.

  1. Enable the Gmail API, Admin SDK API , and Service Usage API by clicking the ENABLE button in each.
    Ensure the Grip Security Project is selected in the project selector at the top of the screen.


For Google Workspace SSPM permissions, enable the “Groups Settings API” & "Cloud Identity."

Note:

To use the Google API’s domain-wide delegation feature, Grip requires the email address of the administrator who provided those delegated permissions for the domain.

What’s next?

Securely send Grip the details you wrote down while setting up the integration:

  • Key ID

  • Project ID

  • Service account email

  • OAuth2 Client ID / Unique ID

  • Email address of the GW administrator account (Required for domain-wide delegated scopes in Google Workspace API)

Appendix 1- for Google Workspace SSPM integration

To complete the Google Workspace posture SSPM integration with Grip, you will need to get the Customer ID.

Get the Customer ID from admin.google.com, under “Account” >> “Account Settings

Connecting to Grip portal

From the Grip portal, go to Integrations >> Google Workspace » Connect » Connect for Posture Management.

Populate the required fields:

Field Name

Description and Source

Display Name

Provide a friendly display name for the Tenant

Tenant ID (Customer ID)

Get the Customer ID from admin.google.com, under “Account” >> “Account Settings”>>״Customer ID””

Project ID

console.cloud.google.com » Project selector > Copy the ID of the Grip Project

Client Email & Client ID

console.cloud.google.com » IAM & Admin » Service Account » Choose the discovery service account

  • Copy the Email to Client Email

  • Copy OAuth2 Client ID > Client ID

Domain Admin

The email address of the domain admin

  • Click “Add Tenant”.

The connect tenant will now be visible and manageable under the Integrations » Manage tab.

Once the integration is connected, you will be able to see and filter your policy statuses, assess your security posture, and begin fixing it.

Note.

The policies will be synced and updated on a daily basis.

Appendix 2 - Providing limited permissions

Using a Custom Role instead of a Google Workspace Admin

Note: When using a Custom Role for the Google Workspace Integration, SSO provisions from super admin users will not be available, since only a super admin can access other super admins' SSO settings.

  • To create a custom role, navigate to Accounts (1) » Admin roles » Create new role (2).

  • Give the role a name (3) and click on Continue.

  • Add the privileges to the role (4)

Reports

Required for Sign-Ins

User Security Management

Required for SSO provisions and OAuth revocation

Users - read

Required for listing users in the Google Workspace Directory

Groups - read

Required for listing users in the Google Workspace Directory

Organization Units - read

Required for listing OUs in the Google Workspace Directory

SSPM - additional privileges:

Services » Group for Business » Groups Service Settings

Domain Management

  • Click Create

  • The role will be added to the Admin role list, and the customer role window will open, Click on Assign members (5).

  • Search for the member to which you want to assign the role (6), then click on ASSIGN ROLE.

The role and the assigned admin will be created.

Granting the custom role user access to view quotas

These steps enable our discovery process to query Google APIs more efficiently while adhering to rate limits.

Without access to view service quotas, we rely on safe default settings when requesting data from Google.

  • In the Google Cloud console, select the project containing the Custom Role and the assigned user

  • Click IAM & Admin (1)

  • Under the Allow tab, click Grant Access (2)

  • Under Add principals, select the user used with the custom role (3).

  • Under Assign roles type "Quota" and select Quota Viewer (Beta) (4)

  • Click Save

The permissions are now added under the role

Related articles