Why does Forseti need GSuite scopes?

[Austin Whipple]

I'm at the following spot in the installation:

Later it says:

1. In the Google Admin Console, go to Manage API client access in Security Settings, and paste the client ID in the client name box.

2. Authorize the following scopes: https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloudplatformprojects.readonly,https://www.googleapis.com/auth/apps.groups.settings

Forseti is a GCP scanner. Why does it need access to end user GSuite group, user, and app read privileges? This seems unnecessary and is a roadblock to finishing this installation.

[Hannah Shin]

Hi Austin, 

Enabling GSuite is an optional feature for users who are looking to collect GSuite data that can be used in scanners like Groups and Groups Settings. Not enabling GSuite will not be a blocker to your installation.

Hope this helps!

[Henry Chang]

Additionally, security in G Suite will affect the security in GCP.  For example, there are entry points to GCP via G Suite, such as adding G Suite Groups as members of IAM policies.  If you only look at GCP, there would be no visibility as to who are the members of the G Suite Group in the IAM policy, or how the G Suite Group is controlled.

--
You received this message because you are subscribed to the Google Groups "Forseti Security Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@forsetisecurity.org.
To view this discussion on the web visit https://groups.google.com/a/forsetisecurity.org/d/msgid/discuss/ca3ac604-c95d-485d-a9ba-447c652c109c%40forsetisecurity.org.

[Jean MERCIER]

Hello,

 but why is this field mandatory for terraform input ? gsuite_admin_email

thanks