Configuring Google G Suite Activity Reports to Communicate with JSA
Before you can add a log source in JSA, you must assign a role to a user, create a custom role with reports access, create a service account and grant API access to a service account in Google G Suite.
You must be a Google administrator with the ability to manage users. If you do not have access, contact your Google administrator.
- Assign a role to a user.
Log in to the Google Admin Console and then click
Usersto access the Users page.
Click the name of the user that you want to grant access to.
Click in the Admin roles and privileges section to open the Admin roles and privileges page, and then click the edit icon.
Assign a role that has reports access. By default, the Super Admin role has this privilege. Alternatively, create a new role with reports privilege.
- Create a custom role with reports access.
To create the role, click CREATE CUSTOM ROLE.
On the Admin roles page, click CREATE A NEW ROLE.
On the Privileges tab, select the Reports check box, and then click Save.
This role appears in the roles section as an option when you assign a role to a user.
a service account with viewer access.
On the Google Cloud Platform (GCP) APIs & Services page, click Credentials.
Select Create credentials > Service account key.
From the Service account list, select New service account.
In the Service account name field, type a name for the service account.
From the Select a role list, select Project > Viewer.
The Service account ID field is automatically populated.
Select JSON for the Key type, and click Create.
A JSON file that contains the service account credentials downloads to your computer. When prompted to open or save the file, save the file to a location of your choice. You need the contents of the JSON file for the Service Account Credentials parameter value when you add a log source in JSA.
- Grant API client access to a service account.
On Google Admin, click Security > Advanced settings > Manage API Client Access.
In the Client Name field, enter the value from the client_id field in the JSON file that you downloaded in Step 3. In the One or More API Scopes field, type https:// www.googleapis.com/auth/admin.reports.audit.readonly.