Liongard

Roar Users Guide & Documentation

Welcome! You'll find comprehensive guides and documentation to help MSPs start working with Liongard's Roar as quickly as possible, as well as support if you get stuck. Let's go #MakeITRoar!

Get Started    

Google Cloud Services Inspectors

The following document is intended to support users as they deploy Google Cloud Services Inspectors (Google Workspace and Google Drive).

👍

Quick Details

Recommended Agent: On-Demand
Supported Agents: On-Demand or Self-Hosted
Is Auto-Discovered By: N/A
Can Auto-Discover: Child Inspectors (Delegated Access)
Parent/Child Type Inspector: Yes
Inspection via: API
Data Summary: Google Workspace, Google Drive

Overview

See it in Action

Google Workspace

Video isn't playing? Click here.

Google Drive

Video isn't playing? Click here.

Deployment

Liongard Google Cloud Services Inspectors run via service accounts set up in the Google Cloud Platform and are configured similarly.

To set up all Google Cloud Services Inspectors, you will complete the following steps:

Once you have set up your service account and authorized it, you should use it across all Google Cloud Services Inspectors

For each Inspector Type (e.g. Google Workspace, Google Drive, etc), you will follow the following steps.

Inspector Setup Preparation

Step 1: Create a Project in Google Cloud Platform

The first portion of the Liongard Google Cloud Services Inspectors' setup process takes place in the Google Cloud Platform. The following steps will run through how to create a new project for the Inspector.

  1. Log in to the Google Cloud Platform console using an account with super administrator privileges in the Google Workspace organization you're trying to inspect.

  2. Under the Project drop-down menu, to the left of the Google Cloud Platform logo, ensure that your Google Workspace organization/account is selected under Organization.

  3. Select "New Project" and fill out the project details:
    Project Name: Liongard Inspector
    Organization: Parent organization
    Location: Parent organization location

Step 2: Enable Required APIs

Liongard's Google Cloud Services Inspectors require several different APIs to be enabled in your project. In this step, we'll run through enabling these APIs via the API Library.

  1. In the left-hand sidebar, select APIs & Services > Library
  1. Reference the table below to determine which APIs to enable. Then, select Enable to activate them:

API

Full Suite

Google Workspace

Google Drive

Admin SDK API

Y

Y

Y

Google Workspace Reseller API (optional)

Y

Y

Y

Enterprise License Manager API

Y

Y

N

Google Drive API

Y

N

Y

Example:

Step 3: Create a Service Account

In this step, we'll run through how to configure a service account to make requests against Google's APIs.

  1. In the left-hand sidebar, select IAM & Admin > Service Accounts.
  2. Select + Create Service Account and fill out the service account details as follows:
  • Service account Name: Liongard Inspector (Suggested)
  • Service account ID: Leave auto-filled input
  • Service account description: (Optional)
  1. Once done, select Create.
  1. For the Grant this service account access to project (optional), grant the following IAM roles to your service account using the Select a role drop-down menu, select service accounts, and select the below options:
  • Service Account User
  • Service Account Token Creator
  1. Once done, select Continue.
  1. Skip the Grant users access to this service account (optional) step. Using the "Actions" menu on the far right of your new service account's row, select Manage keys.
  1. On the next page, select Add Key > Create new key
  1. Select JSON for key type. Then, select Create. This will download a private key file. Keep this file handy, as Liongard Google Cloud Services Inspectors will need it to authenticate with Google's APIs. Treat this file like you would a sensitive password.

📘

Replacing Your Private Key File

If you happen to lose your original private key file, you can repeat the aforementioned steps to generate a new private key file.

  1. While you're still in the service account settings menu, select the Details tab on the far left and select Show Domain-Wide Delegation to reveal a checkbox labeled Enable G Suite Domain-wide Delegation, then enable it.

  2. While you're on the "Details" tab, copy down the value labeled Unique ID. You'll need this value to identify your service account when authorizing it in your Google Workspace account.

You can also find this value inside the private key file you downloaded.

  1. You will be prompted to configure an OAuth consent screen. Fill in the details for the consent screen:
  • Product name for the consent screen: Liongard Inspector (Suggested)
  • Email address: (Auto-populated) If you would like to change this, select Configure Consent Screen > select Internal > select Create. Edit these fields as needed, and select Save.

Your service account has now been assigned a client.

Step 4: Authorize Your Service Account in Google Workspace

  1. This step takes place in the Google Workspace admin console. In any web browser, go to admin.google.com and log into your Google Workspace account as a super administrator.

  2. Select Security from the list of visible controls.

  1. At the bottom of the next page, select API controls > Manage Domain Wide Delegation.
  1. On the next page, select Add new.
  1. In the Add a new client ID modal, add the unique (client) ID associated with the service account you created. Under OAuth scopes (comma-delimited), copy-and-paste the required scopes for the Inspector(s) you wish to configure (see the lists below) and select Authorize:

Google Workspace:

https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.group.member.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.user.alias.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
https://www.googleapis.com/auth/admin.directory.userschema.readonly,
https://www.googleapis.com/auth/admin.directory.customer.readonly,
https://www.googleapis.com/auth/admin.directory.domain.readonly,
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,
https://www.googleapis.com/auth/admin.reports.audit.readonly,
https://www.googleapis.com/auth/admin.reports.usage.readonly,
https://www.googleapis.com/auth/apps.order.readonly,
https://www.googleapis.com/auth/calendar.readonly,
https://www.googleapis.com/auth/calendar.events.readonly,
https://www.googleapis.com/auth/calendar.settings.readonly,
https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/drive.activity.readonly,
https://www.googleapis.com/auth/apps.licensing

Google Drive:

https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/apps.order.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.domain.readonly,

Liongard Inspector Setup

For each system you are deploying, you must first set up a Parent Inspector and then activate the Child Inspectors. Repeat these steps for each system you wish to deploy Inspectors.

Step 1: Parent Inspector Setup

Since Google Cloud Services Inspectors are multi-tenant systems where a single portal can be used to manage many Environments, you will set up a single "Parent" Inspector that will then auto-discover "Child" Inspectors for each Environment.

In Liongard, navigate to Admin > Inspectors > Navigate to the Appropriate Google Cloud Services Inspector > Add System.

Fill in the following information:

  • Type of Inspector: Parent
  • Environment: Select your MSP's Environment
  • Friendly Name: Suggested "[MSP Name] [Inspector Name] Parent"
  • Agent: Select On-Demand Agent
  • Inspector Version: Latest
  • Google Workspace Admin Email: Email of a Super Administrator on the Google Workspace account to be inspected under Google Workspace Admin Email
  • Private Key: The entire contents of the private key file you created during the Google Cloud Platform (GCP) portion of the setup process
  • For Google Workspace: Enable Google Workspace Reseller API: If you're enrolled as a Google Workspace Authorized Reseller, select this option to enable auto-discovery
  • Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule

Select Save. The Inspector will now be triggered to run within the minute.

Step 2: Child Inspector Setup

After the first run of the Parent Inspector, your client Google Cloud Services organizations will be auto-discovered in the Discovered Systems tab on the Inspectors > Appropriate Google Cloud Services Inspector page.

Navigate to the Discovered Systems tab in your Inspectors > Appropriate Google Cloud Services Inspector page

  • Activate or Archive your Discovered Systems by ensuring that they're mapped to the correct Environment > Check the checkbox to the left of Inspector(s) > Select the Actions drop down menu > Activate Launchpoints

Optional: Turn on Flexible Asset/Configuration Auto-Updating

If you would like these Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for these Inspectors:

  • ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
  • IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled

Updated 8 days ago


Google Cloud Services Inspectors


The following document is intended to support users as they deploy Google Cloud Services Inspectors (Google Workspace and Google Drive).

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.