Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Google G Suite Activity Reports to Communicate with JSA

 

Before you can add a log source in JSA, you must assign a role to a user, create a custom role with reports access, create a service account and grant API access to a service account in Google G Suite.

You must be a Google administrator with the ability to manage users. If you do not have access, contact your Google administrator.

  1. Assign a role to a user.
    1. Log in to the Google Admin Console and then click Users to access the Users page.

      Figure 1: Google Admin Users
      Google Admin Users
    2. Click the name of the user that you want to grant access to.

      Figure 2: Google Admin User
      Google Admin User
    3. Click in the Admin roles and privileges section to open the Admin roles and privileges page, and then click the edit icon.

      Figure 3: Admin Roles and Previleges
      Admin Roles and Previleges
    4. Assign a role that has reports access. By default, the Super Admin role has this privilege. Alternatively, create a new role with reports privilege.

  2. Create a custom role with reports access.
    1. To create the role, click CREATE CUSTOM ROLE.

    2. On the Admin roles page, click CREATE A NEW ROLE.

      Figure 4: Create a New Role
      Create a New Role
    3. On the Privileges tab, select the Reports check box, and then click Save.

      Figure 5: New Role Previleges
      New Role Previleges

      This role appears in the roles section as an option when you assign a role to a user.

  3. Create a service account with viewer access.
    1. On the Google Cloud Platform (GCP) APIs & Services page, click Credentials.

    2. Select Create credentials > Service account key.

    3. From the Service account list, select New service account.

    4. In the Service account name field, type a name for the service account.

    5. From the Select a role list, select Project > Viewer.

      Figure 6: Create Service Account Key
      Create Service Account Key

      The Service account ID field is automatically populated.

    6. Select JSON for the Key type, and click Create.

      A JSON file that contains the service account credentials downloads to your computer. When prompted to open or save the file, save the file to a location of your choice. You need the contents of the JSON file for the Service Account Credentials parameter value when you add a log source in JSA.

  4. Grant API client access to a service account.
    1. On Google Admin, click Security > Advanced settings > Manage API Client Access.

      Figure 7: Manage API Client Access
      Manage API Client Access
    2. In the Client Name field, enter the value from the client_id field in the JSON file that you downloaded in Step 3. In the One or More API Scopes field, type https:// www.googleapis.com/auth/admin.reports.audit.readonly.

      Figure 8: One or More API Scopes Field
      One or More API Scopes Field