Liongard Roar

Roar Users Guide & Documentation

Welcome! You'll find comprehensive guides and documentation to help MSPs start working with Liongard's Roar as quickly as possible, as well as support if you get stuck. Let's go #MakeITRoar!

Get Started    

G Suite

This document provides the steps required to configure the Google G Suite Inspector.

👍

Quick Details:

Typically Runs From: Managed Cloud Agent
Is Auto-Discovered By: N/A
Can Auto-Discover: Google G Suite Child Inspectors (Google Partners)
Parent/Child Type Inspector: Yes
Data Summary: Here

Inspector Setup Preparation

Step 1: Google Cloud Platform (GCP)

The first portion of the Inspector setup process takes place in the Google Cloud Platform. The following steps will run through creating a new project for the Inspector, enabling the required APIs, creating a service account, and adding all required IAM roles.

  1. To get started, log in to the Google Cloud Platform console using an account with super administrator privileges in the Google G Suite organization you're trying to inspect

  2. Under the project drop-down menu, to the left of the Google Cloud Platform logo, ensure that your Google G Suite organization/account is selected under Organization

  3. Select "New Project"

  1. Fill out the project details:
    Project Name: (Suggested) Liongard G Suite Inspector
    Organization: Your Parent organization
    Location: Parent organization
  1. In your left sidebar, select APIs & Services > Library

Search for the following APIs, select them, and then select Enable to activate them:

  • Admin SDK
  • Enterprise License Manager API
  • Google Apps Reseller API

Example:

  1. Next, in the left sidebar, select IAM & admin > Service accounts. Here, select + Create Service Account

Fill out Create Service Account details:

  • Service account Name: (Suggested) Liongard G Suite Inspector User
  • Service account ID: auto-filled
  • Service account description: (Optional)

Once done, select Create.

  1. On the Service account permissions (optional) page, grant the following IAM roles to your service account using the Select a role drop-down menu:
  • Service Account User
  • Service Account Token Creator

Once done, select Continue.

  1. Skip the Grant users access to this service account (optional) section. In the Create key (optional) section, select + Create Key

Under Key type, ensure that JSON is selected, and select Create. This will download a file.

  • Keep this file handy, as the Inspector will need this to authenticate with Google's APIs

🚧

Lost Key File

If you lost your Key file, in the left sidebar navigate to Service Accounts. To the right of the Service account created for the Liongard G Suite Inspector, select the three-dot Actions menu, and select Create key. Again, ensure that JSON is selected, and select Create.

  1. Once done, select the three-dot Actions menu > Edit
  • Copy your Unique ID, as the Inspector will need this to authenticate with Google's APIs

Also here, select the drop down Show Domain-Wide Delegation, and select the checkbox to Enable G Suite Domain-wide Delegation.

You will be prompted to configure an OAuth consent screen. Fill in the details for the consent screen:

  • Product name for the consent screen: (Suggested) Liongard G Suite Inspector
  • Email address: (Auto-populated) If you would like to change this, select Configure Consent Screen > select Internal > select Create. Edit these fields as needed, and select Save.

Your service account has now been assigned a client.

Step 2: Google G Suite Admin Portal

  1. Once you've completed the steps above, navigate to the G Suite Admin console and log into your G Suite account as a domain administrator

  2. Navigate to Security from the list of visible controls

Here, select Advanced settings > Manage API client access.

  1. Fill out the Manage API client access fields:
  • Client Name: Enter the Unique ID copied from the Google Cloud Platform portion of the setup process
  • One of More API Scopes: Under copy and paste the comma-delimited list of API scopes below
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.group.member.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.user.alias.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
https://www.googleapis.com/auth/admin.directory.userschema.readonly,
https://www.googleapis.com/auth/admin.directory.customer.readonly,
https://www.googleapis.com/auth/admin.directory.domain.readonly,
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,
https://www.googleapis.com/auth/admin.reports.audit.readonly,
https://www.googleapis.com/auth/admin.reports.usage.readonly,
https://www.googleapis.com/auth/apps.order.readonly,
https://www.googleapis.com/auth/calendar.readonly,
https://www.googleapis.com/auth/calendar.events.readonly,
https://www.googleapis.com/auth/calendar.settings.readonly,
https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/drive.activity.readonly,
https://www.googleapis.com/auth/apps.licensing

Select Authorize to grant the listed API scopes on your Google G Suite account to the application you created.

Roar Inspector Setup

Step 1: Parent Inspector Setup

Since G Suite is a multi-tenant system where a single portal is used to manage many Environments, you will set up a single "Parent" Inspector that will then auto-discover "Child" Inspectors for each Environment.

In Roar, navigate to Admin > Inspectors > Navigate to the Google G Suite Inspector > Add System.

Fill in the following information:

  • Environment: Select the Environment this System should be associated to
  • Friendly Name: Suggested "[Environment Name] G Suite"
  • Agent: Select Cloud-Linux
  • G Suite Admin Email: Email of a Domain Administrator on the Google G Suite account to be inspected under G Suite Admin Email
  • Private Key: The entire contents of the Service Account Secret Key file you created during the Google Cloud Platform (GCP) portion of the setup process
  • Enable Google G Suite Reseller API: If you're enrolled as a Google G Suite Authorized Reseller, select this option to enable auto-discovery
  • Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
  • Inspector Version: Latest
    Select Save. The Inspector will now be triggered to run within the minute.

Step 2: Child Inspector Setup

After the first run of the Parent Inspector, your client G Suite organizations will be Auto-Discovered in the Discovered Systems tab on the Inspectors > G Suite page.

Navigate to the Discovered Systems tab in your Inspectors > G Suite page

  • Activate or Archive your Discovered Systems by ensuring that they're mapped to the correct Environment > Check the checkbox to the left of Inspector(s) > Select the Actions drop down menu > Activate Launchpoints

Troubleshooting

This section documents some common errors you may run into and how to resolve them.

  • Error Message: "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
  • Potential Cause/Resolution: This error generally indicates that your client (application) isn't sufficiently authorized to perform some action in Google Cloud Platform.
    Check the following:
    • Check that *"Domain-wide delegation" is enabled for your service account in the Google Cloud Platform console. This is included under Step #9** in the GCP portion of the setup process. For more information, reference this article from Google Cloud Platform's developer documentation
  • Check that the scopes included in this document are properly entered in the G Suite Admin Console and that those scopes are associated with the Client ID of the service account you created. This is included under Step #4 in the G Suite portion of the setup process.
  • Ensure that the "Service Account Token Creator" and "Service Account User" IAM roles are assigned to your service account.

G Suite Quick Tips/FAQs

  • Does the G Suite Parent Inspector return data?
    Yes, the G Suite Parent Inspector does return data.

Inspector FAQs

Last Updated: 2020-05-07

Updated 3 months ago


G Suite


This document provides the steps required to configure the Google G Suite Inspector.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.