Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Google Console/Admin Changes

  • Updated

About

We are pleased to announce the ability to add Attribute-based Access Control (ABAC) to Virtru Private Keystore for Google Workspace CSE as of v5.7.0. By applying Drive Labels and checking specific attributes in the Virtru Private Keystore container for CSE, we can add additional control as well as further restrict access more granularly, based on the Labels applied to a CSE file. This feature also applies to Shared Files within Google Drive.

 

Important Notes to Consider Prior to Implementation:

- Enabling the DRIVE_LABELS feature flag will impact all new and existing CSE files, including those without a Drive Label applied to previously created CSE files. To ensure continued accessibility, users can either apply a Drive Label to existing CSE files before enabling the feature flag, or apply the Label after the feature flag has been enabled. 

- This feature requires that the Google Group Names follow the format classification-"label-name" to be created and associated to the Drive Label that will be used to classify CSE content. Once the Drive Labels integration is enabled, the Virtru Private Keystore will check for all group names that matches the prefix mentioned above, and will verify this against the author and the user(s) you're sharing CSE content with. If the CSE file is missing a Drive Label that corresponds to the Google Group Name that matches the prefix format requirement, access to the CSE file will not be granted unless the appropriate Drive Label has been applied to the CSE file.

 

Prerequisites

  • This document assumes you have a fully functioning Virtru Private Keystore (VPK) for Google Workspace CSE running v.5.9.1 or newer.
  • Ensure you are working within your existing CSE project folder ( e.g., Virtru).
  • Prior to making on your server, we recommend creating a copy of the existing /cse directory

Step 1: Enable Required API & Services

  1. Enable Google Drive API  - This API allows programmatic access to Google Drive, including permissions management and file interactions.
  2. Enable Admin SDK API - This API allows access to Google Workspace management capabilities for users, groups and organization 
  3. Enable Drive Labels API  - This API is specifically designed to allow access for managing and applying Drive Label on files.

Click each link and hit the Enable button to activate the respective APIs for your project.

Step 2: Configure Google Admin and Service Account

Create a Google Group 

  • Use the format classification-<label-name>
  • Add desired uses to the group that will be associated with the classification label. 
    • Note: Users must be added individually, nested groups are not supported at this time.

The application is matching the "title" field of the returned drive label data with the group name, it is expected that the label title will be returned as written within the Drive label manager (including capitalization). 

Create a Service Account (SA) in Google Console

  1. Navigate to Service Accounts in your project folder (e.g., Virtru)
  2. Click +CREATE SERVICE ACCOUNT and set the following:
    • Name: Virtru-SA
    • Service account ID: virtru-sa
    • Click CREATE AND CONTINUE, then DONE

The Service Account (SA) role/permissions does NOT have to be specified in this step and can be left blank. The permissions for this new SA will be determined in the steps below via Domain Wide Delegation.

Virtru also recommends adhering to your organization's security policies along with this integration.

Generate and Save the SA Key

  1. In the Service Account’s Key tab, click ADD KEY ‘Create new key
    Type: JSON > click CREATE. 
  2. Save the downloaded key as keyFile.json 

Step 3: Add Domain-Wide Delegation (DWD)

Ensure you’re working in the existing project folder (e.g., Virtru) for your CSE
Navigate to domain-wide delegation

  1. Copy the client_ID from the Service Account’s Details tab or from the keyFile.json 
  2. In Google Admin Console
    1. Go to Security > Access and data control > API Controls.
  1. Under Domain Wide Delegation, select Manage Domain Wide Delegation > Click "Add New"
  2. Enter the Client ID and scopes for your CSE Version:

    In the Client ID field, enter the service account's Client ID. In the OAuth scopes (comma-delimited) field, enter the list of scopes that your application should be granted access to.
  3. Click Authorize

Step 4: Custom Role Creation and Permissions

This admin’s email will later be referenced in the cse.env file as SERVICE_ACCOUNT_EMAIL or in values.yaml for Helm deployments. Ensure the SA also has Virtru Admin access and that the admin account can access Drive Labels.

It is recommended that you create a custom role with the following permissions and assign the role to the designated Google Workspace admin/owner.

  1. Log in to your Google Admin Console as a super admin.
  2. Navigate to Admin Console permissions.
    • From the dashboard, go to Account > Admin roles.
  3. Click Create new role in the top-right corner.
    Name: e.g., "Drive and Security Manager"
    Description: "Grants permissions to manage Drive labels, monitor Drive activity in Security Center, and access group data with read-only privileges."
  4. Click Continue then select the following privileges:
    • Admin Console Privileges: 
      • Services > Drive and Docs > Settings > Manage Labels
      • Services > Security Center > This user has full administrative rights for Security Center > Audit and Investigation > View > Drive
    • Admin API privileges:
        • Groups > Read
    • Click Continue then CREATE ROLE.

Step 5: Creating Labels

  1. Go to Drive and Docs in Google Admin.
  2. Click New Label and enter the name (label names must match <label-name> in your classification- google group name).
  3. Enable the label under Drive and Docs.
  4. Set permissions to Can apply labels and set values for the Google Group or users.
  5. (Optional) Use Restricted Access or Can view this label only for specific configurations.

You can create multiple labels with different groups as needed as long as you create the google groups to associate with each label.

 

For next steps see the Labels Integration via Linux or Helm

Related articles