G Suite enablement questions
57 views
Skip to first unread message
ross.va...@cleardata.com
May 9, 2018, 2:12:07 PM5/9/18
to Forseti Security Beta Testers
Hello,
I read about the G Suite enablement requirement for Forseti 2.0. Worried about a few consequences of this:
1) Does it actually require G Suite, or can I use this with Cloud Identity?
2) Previously, the IAM module was optional - if we don't provide G Suite access, will the other inventory & scanner functionality work?
3) Does it really need Super Admin? For many of our customers, this level of access may be unacceptable.
Thanks,
Ross
I read about the G Suite enablement requirement for Forseti 2.0. Worried about a few consequences of this:
1) Does it actually require G Suite, or can I use this with Cloud Identity?
2) Previously, the IAM module was optional - if we don't provide G Suite access, will the other inventory & scanner functionality work?
3) Does it really need Super Admin? For many of our customers, this level of access may be unacceptable.
Thanks,
Ross
Lukas Karlsson
May 9, 2018, 2:35:40 PM5/9/18
to ross.va...@cleardata.com, Forseti Security Beta Testers
If you want to scan all your Google Groups and such, then the GSuite Enablement will allow that. If you don't have G Suite and don't have any Google Groups then you probably don't need it I would think.
/l
--
You received this message because you are subscribed to the Google Groups "Forseti Security Beta Testers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to beta-testers...@forsetisecurity.org.
To post to this group, send email to beta-t...@forsetisecurity.org.
To view this discussion on the web visit https://groups.google.com/a/forsetisecurity.org/d/msgid/beta-testers/d323bffd-0de0-427e-a234-f3f7da90a4a9%40forsetisecurity.org.
Lukas Karlsson, Cloud Architect / Developer Advocate
Broad Institute of MIT and Harvard
75 Ames Street, 11129, Cambridge, Massachusetts 02142
karl...@broadinstitute.org, +1.6177147142
Broad Institute of MIT and Harvard
75 Ames Street, 11129, Cambridge, Massachusetts 02142
karl...@broadinstitute.org, +1.6177147142
Antoine Castex
May 9, 2018, 3:01:39 PM5/9/18
to ross.va...@cleardata.com, Forseti Security Beta Testers
Not gsuite superadmin..
Service account with DwD is ok.
--
You received this message because you are subscribed to the Google Groups "Forseti Security Beta Testers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to beta-testers...@forsetisecurity.org.
To post to this group, send email to beta-t...@forsetisecurity.org.
To view this discussion on the web visit https://groups.google.com/a/forsetisecurity.org/d/msgid/beta-testers/d323bffd-0de0-427e-a234-f3f7da90a4a9%40forsetisecurity.org.
This e-mail transmission (message and any attached files) may contain information that is proprietary, privileged and/or confidential to Veolia Environnement and/or its affiliates and is intended exclusively for the person(s) to whom it is addressed. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies of this e-mail, including all attachments. Unless expressly authorized, any use, disclosure, publication, retransmission or dissemination of this e-mail and/or of its attachments is strictly prohibited.
Ce message electronique et ses fichiers attaches sont strictement confidentiels et peuvent contenir des elements dont Veolia Environnement et/ou l'une de ses entites affiliees sont proprietaires. Ils sont donc destines a l'usage de leurs seuls destinataires. Si vous avez recu ce message par erreur, merci de le retourner a son emetteur et de le detruire ainsi que toutes les pieces attachees. L'utilisation, la divulgation, la publication, la distribution, ou la reproduction non expressement autorisees de ce message et de ses pieces attachees sont interdites.
--------------------------------------------------------------------------------------------
joe.ce...@cleardata.com
May 9, 2018, 3:11:43 PM5/9/18
to Forseti Security Beta Testers, ross.va...@cleardata.com
The documentation for setting up group collection mentions a config option named 'domain_super_admin_email'
domain_super_admin_email: Use of the Admin API requires delegation (impersonation). Enter an email address of a Super Admin in the GSuite account.
From the documentation, I'm not clear on what that affects though.
Lukas Karlsson
May 9, 2018, 3:19:20 PM5/9/18
to joe.ce...@cleardata.com, Forseti Security Beta Testers, ross.va...@cleardata.com
If you want to setup the G Suite enablement, the process involves granting access to a service account in the G Suite domain.
The way this works is the service account requests access to a particular scope in G Suite and then it has the ability to become a user in the domain so it can make requests on behalf of that user.
If your goal is to scan all your Google Groups, then there needs to be a user in the G Suite domain that has access to all the Google Groups and the service account becomes that user. The easiest way to do that would be to use a user that has superadmin access.
An alternative may be to use a G Suite account that has Groups Admin privileges. In fact, another may be to give a regular user who has no superadmin privs Owner access to all of the Google Groups in your domain one at a time. In which case, I believe the service account would be able to successfully become that user and scan all the groups without actually needing any admin permissions.
I haven't tried this yet but I suspect it would work.
/l
To view this discussion on the web visit https://groups.google.com/a/forsetisecurity.org/d/msgid/beta-testers/6bbb8524-15ab-4fe4-95e6-41d6b7a73a7a%40forsetisecurity.org.
Ross Vandegrift
May 9, 2018, 3:33:00 PM5/9/18
to Joe Ceresini, karl...@broadinstitute.org, beta-t...@forsetisecurity.org
On Wed, 2018-05-09 at 19:19 +0000, Lukas Karlsson wrote:
> If you want to setup the G Suite enablement
This is what I'm confused about. I don't (currently) want any G Suite stuff,
> If you want to setup the G Suite enablement
but the latest installation docs says that it's mandatory:
https://docs.google.com/document/d/1RDw8QLhJVd-EAwIAviaboXwLoHPehteRGLCOXzEHBoc/preview
Ross
Joe Cheuk
May 9, 2018, 7:18:19 PM5/9/18
to ross.va...@cleardata.com, joe.ce...@cleardata.com, Lukas Karlsson, Forseti Security Beta Testers
Hi Ross,
We don't currently support Cloud Identity since it's a newer feature in G Suite and we do require GSuite enablement in Forseti v2.0.
The GSuite super admin email address is used to provision the following readonly roles to the service account, we are not the GSuite super admin privilege directly in Forseti:
I strongly encourage you to open an issue in the Forseti github repository regarding your use case (https://github.com/GoogleCloudPlatform/forseti-security/issues) and we will take that into account when we plan our upcoming work.
Hope that helps, please let us know if you have more questions!
Thanks,
Joe
--
You received this message because you are subscribed to the Google Groups "Forseti Security Beta Testers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to beta-testers...@forsetisecurity.org.
To post to this group, send email to beta-t...@forsetisecurity.org.
To view this discussion on the web visit https://groups.google.com/a/forsetisecurity.org/d/msgid/beta-testers/1525894375.2430.1.camel%40cleardata.com.
Reply all
Reply to author
Forward
0 new messages