Google Drive

Google Drive #

For Google Drive we work with a Google service account provided by uman.ai. During the set-up process you will be given a service account emailaddress and service account identifier that is generated on uman.ai side.

Pre-requisites #

It is required to have a Google Workspace in order for uman.ai to be able to synchronize content. The workspace context is needed for consistently adopting the permissions.

Scopes #

Subsequently you need to grant the service account acccess to the desired Google Shared Drive folders (viewer access is enough). It is important to note that access needs to be granted on Shared Drive level, and not a subfolder of a Shared Drive. Adding the service account to the Shared Drive will grant the following permissions implicitly:

  • https://www.googleapis.com/auth/drive.readonly: required to read all Google Drive folders within the Shared Drive and download files that need to be synced with uman.ai.
  • https://www.googleapis.com/auth/drive.activity.readonly: required to read activities related to those files

Next to adding the service account to the desired Shared Drives, you need to grant the service account the following domain-wide scopes:

  • https://www.googleapis.com/auth/admin.directory.user.readonly: required to read all users, relevant for the metadata of files and permissions.
  • https://www.googleapis.com/auth/admin.directory.group.member.readonly: required to read all groups and its users in order to mirror the Google Drive permissiosn.

For instructions on how to grant these domain-wide delegation, check the Google docs.

Setup process #

Please follow the steps below:

  1. Retrieve the service account emailaddress and identifier from the uman.ai team
  2. Grant the service account viewer access to the desired Shared Drives
  3. Grant the service account the forementioned domain-wide scopes
  4. Let the uman.ai team know that the steps above have happened successfully and provide an email address of an administrator (at least ‘User Management Admin’ and ‘Groups Reader’ roles) that uman.ai can use to impersonate the admin scope calls