Google Drive

Google Drive #

For Google Drive we work with a Google service account provided by uman. During the set-up process you will be given a service account email address and service account identifier that is generated on uman side.

Pre-requisites #

It is required to have a Google Workspace in order for uman to be able to index content. The workspace context is needed for consistently adopting the permissions.

Scopes #

Subsequently you need to grant the service account access to the desired Google Shared Drive folders (viewer access is enough). You can also grant access to a subfolder within a Shared Drive, but contributor access will be required to retrieve the file permissions. Adding the service account to the Shared Drive will grant the following permissions implicitly:

  • https://www.googleapis.com/auth/drive.readonly: required to read all Google Drive folders within the Shared Drive and download files that need to be indexed in uman.
  • https://www.googleapis.com/auth/drive.activity.readonly: required to read activities related to those files

Next to adding the service account to the desired Shared Drives, you need to grant the service account the following domain-wide scopes:

  • https://www.googleapis.com/auth/admin.directory.user.readonly: required to read all users, relevant for the metadata of files and permissions.
  • https://www.googleapis.com/auth/admin.directory.group.member.readonly: required to read all groups and its users in order to mirror the Google Drive permissions.

For instructions on how to grant these domain-wide delegation, check the Google docs.

Setup process #

Please follow the steps below:

  1. Retrieve the service account email address and identifier from the uman team
  2. Grant the service account Viewer access to the desired Shared Drives.
    If a folder is shared (instead of a Shared Drive), grant the service account Contributor access to the folder. Otherwise, we won’t be able to perform the permission mirroring.
  3. Grant the service account the aforementioned domain-wide scopes
  4. Let the uman team know that the steps above have happened successfully and provide an email address of an administrator (at least ‘User Management Admin’ and ‘Groups Reader’ roles) that uman can use to impersonate the admin scope calls

Whitelist app for collect slides feature #

In order to be able to use the collect slides feature and save them to my Drive, you need to whitelist the uman app in your Google Workspace. You can do this by following the steps below:

  1. Go to the Google Workspace Admin App Access Control page
  2. Click on Add App followed by OAuth App Name or Client ID in the dropdown
  3. Copy 387164199820-pblevae6f5u2nr71jks6bp1ffbo7cpn7.apps.googleusercontent.com in the Client ID field
  4. Click on Search and select the uman app
  5. Click on Select followed by Select again
  6. Scope can be either everyone or specific organizational units, depending on your preference
  7. Click on continue and then select Trusted. This is required for the collect slides feature to work.
  8. Complete the process by clicking on Finish on the next page