Google

Before you collect from a Google data source,Workspace or Gemini, you must complete the following tasks:

Instance

Process Procedure
Microsoft Google Workspace account setup
  1. Create a Google Cloud project
  2. Enable required APIs for the project
  3. Set up OAuth2 consent screen
  4. Add scopes
  5. Create credentials
  6. Set reauthentication policy
Google Workspace user account setup
  1. Create admin role for Vault API
  2. Create admin role for the user accounts listing
  3. Create admin role for the groups listing
  4. Enable required privileges
Restricting collections to the selected user accounts
  1. Create an organizational unit
  2. Add users to the organization unit
  3. Scope user privileges to the organizational unit
RelativityOne Google Workspace data source
  1. Create the data source
  2. Configure the data source in Collect
Google Gemini data source
  1. Create the data source
  2. Configure the data source in Collect

The procedure is the same for any Google Workspace data source and Google Gemini.

Google Workspace account setup

Connecting your Google Workspace to Collect takes some setup in Google and Relativity. Begin with the credential setup in Google.

Create a Google Cloud project

Create a Google Cloud project to create, enable, and use all Google Cloud services. You will use this account to manage APIs.

To create a Google Cloud project:

  1. Open the Cloud Resource Manager page
  2. Click Create Project.
  3. Enter information into the fields:
    • Project name—enter a memorable name for your project.
    • Organization—enter the name of your organization.
    • Location—enter the parent organization or folder.
  4. Click Create.

Enable required APIs for the project

Continuing in this process, you now need to enable the required Google Cloud Console APIs and associate them to a new project.

To start enabling APIs in the Google Cloud Console:

  1. In the Google Cloud Console, select the newly created project.
  2. Enter Google Vault API in the search bar and search.
  3. Click the Google Vault API option.
  4. Click Enable.
    You will then see the Google Vault API/Service Details page.
  5. Enter Admin SDK API in the search bar and search.
  6. Click the Admin SDK API option.
  7. Click Enable.
    You will then see the Admin SDK API/Service Details page.
  8. Enter Cloud Storage API in the search bar and search.
  9. Click the Cloud Storage API option.
    Be sure to choose Cloud Storage API. Cloud Storage API is different than Cloud Storage.
  10. Click Enable if the API is not already enabled by default.

Set up OAuth2 consent screen

Follow the steps to create a OAuth2 consent screen in Google Cloud Console.

  1. In the Google Cloud Console and select newly created project.
  2. Select APIs & Services>OAuth consent screen.
  3. Click Get started.
  4. Enter the App information.
    • App name—enter a name for the Collect app you're using. For example, Relativity Collect.
    • User support email—select the email address for users to contact you with questions about their consent.
  5. Click Next.
  6. Select Internal audience type and click Next.
  7. Enter an email address in the Contact Information field.
    Google uses this email address to notify you about any changes to your project.
  8. Click Next.
  9. Complete the Finish step by selecting the check box and click Continue.
  10. Click Create.

Your Oauth configuration has been created.

Add scopes

Next, you must add scopes.

  1. In the Google Cloud Console, navigate to Data Access.
  2. Click Add or remove scopes.
  3. Enter filter and select required scopes one at a time, or enter them in a text box.
    The scopes are:
    • https://www.googleapis.com/auth/ediscovery
      Google Vault API | .../auth/ediscovery | Manage your eDiscovery data
    • https://www.googleapis.com/auth/devstorage.read_only
      BigQuery API | .../auth/devstorage.read_only | View your data in Google Cloud Storage
    • https://www.googleapis.com/auth/admin.directory.user.readonly
      Admin SDK API | .../auth/admin.directory.user.readonly | See info about users on your domain
    • https://www.googleapis.com/auth/admin.directory.group.readonly
      Admin SDK API | .../auth/admin.directory.group.readonly | View groups on your domain
      Updated selected scopes dialog
  4. Click Update.
  5. Click Save.

Your data access changes are then saved.

Create credentials

Next, create credentials.

  1. In the Google Cloud Console, navigate to APIs & Services > Credentials.
  2. Click Create Credentials.
  3. Click OAuth Client ID credentials.
  4. Enter the following information in the fields:
    • Application type—select Web application.
    • Name—enter a name for the credentials.
    • Authorized redirect URIs—enter the URI (Uniform Resource Identifier) based on the RelativityOne Data Center Geo you intend to run collections from.
    When copying and pasting the URI, please ensure there are no whitespaces or typos in the address, as they will cause a connection failure with Google.
  5. Click Create.

After clicking Create, you will have your Client ID and Client Secret. Copy both of them, because you will need them later when creating the Google data source in Collect.

OAuth client created dialog

Set reauthentication policy

As an optional step, you will want to configure Google's reauthentication policy as follows:

  1. Open the Google Cloud Console.
  2. Select the newly created project.
  3. Click on the Navigation menu.
  4. Select Security > Access and data control > Google Cloud session control.
  5. On the Google Cloud session control, select a reauthentication policy.
    • Never require reauthentication
    • Require reauthentication. If you select Require authentication, you must also select Exempt Trust apps.
  6. Click Save.

For more information on setting reauthentication policy and the options, see Google's documentation.

Google Workspace user account setup

Collections require user account on which behalf Relativity exports data. This can be a dedicated or an existing user account.

Create admin role for Vault API

To create the admin role for the Vault API:

  1. Open the Google Admin page.
  2. Click Account>Admin roles to open the up the page.
  3. Click Create New Role.
  4. Enter the role name. We recommend Relativity Collect.
  5. Click Continue to select privileges.
  6. Select the following privileges:
    • Services - Google Vault > Manage Matters
    • Services - Google Vault > Manage Searches
    • Services - Google Vault > Manage Exports
  7. Click Continue.
  8. Click Create Role.

Create admin role for the user accounts listing

To create the admin role for the users accounts listing:

  1. Open the Google Admin page.
  2. Click Account>Admin roles to open the up the page.
  3. Click Create New Role.
  4. Enter the role name.
    We recommend Users Reader for Collect.
  5. Click Continue.
  6. Select the Admin API privileges - Users > Read privilege.
  7. Click Continue.
  8. Click Create Role.

Create admin role for the groups listing

To create the admin role for groups listing:

  1. Open the Google Admin page.
  2. Click Account>Admin roles to open the up the page.
  3. Click Create New Role.
  4. Enter the role name.
    We recommend Groups Reader for Collect.
  5. Click Continue.
  6. Select the Admin API privileges - Groups > Read privilege.
  7. Click Continue.
  8. Click Create Role.

Enable required privileges

To enable required privileges:

  1. Open the Google Admin page.
  2. Navigate to Directory > Users to open the list of users.
  3. Select or create the user you want to use.
  4. Click the Admin roles and privileges pane.
  5. In the Roles section, click the edit pencil icon, or anywhere in the Roles tables.
  6. Assign the following roles to the user in All organizational units scope.
    • Relativity Collect
    • Users Reader for Collect
    • Groups Reader for Collect

Restricting collections to the selected user accounts

You can restrict collections to the selected group of users by leveraging admin role scoping to organizational units.

To limit collections, you will need to create an organizational unit and add the users to the unit. Once created, Collect will only collect data from the users within the organizational unit.

This configuration step is for Google Workspace data sources only and is optional.

Create an organizational unit

An organization unit restricts RelativityOne’s collections only to the selected custodians. Create an organization unit and add selected custodians to the unit so only their information is collected.

To create an organizational unit, open Google Admin Console and follow the steps below:

  1. Open the Google Admin page.
  2. Navigate to Directory > Organizational Units.
  3. On the Manage organizational units page, click Create organization unit.
  4. In the Create new organizational unit pop-up menu, enter the Name of organizational unit.
  5. (Optional) Enter description of the organizational unit.
  6. Select the Parent Organization Unit (POU).
    If this field is not populated, add a POU. To create a POU, follow the steps in Google’s documentation.
  7. Click Create.

Once the organizational unit is created, the next step is to add targeted users you want to collect from to the unit.

Add users to the organization unit

To add users to the organizational unit, follow the steps below:

  1. Click the navigation menu.
  2. Navigate to Directory > Users.
  3. Select the users who should have collections restricted
  4. Click the More options drop-down menu.
  5. Click Change organizational unit.
  6. In the Change organizational unit pop-up menu, select appropriate organizational unit.
  7. Click Continue.
  8. Click Confirm.

You can upload a .csv file to bulk update users. For more information, see Google’s documentation.

Scope user privileges to the organizational unit

To update the scope of the user's role:

  1. Open the Google Admin page.
  2. Navigate to Directory > Users.
  3. Select or create a user account.
  4. Select and expand the Admin roles and privileges pane.
  5. Click the pencil icon.
  6. Select a Role name to update.
  7. Edit the scope of the role to the appropriate organization unit.
  8. Click Save.

Groups Reader privilege can only be scoped to All organizational units. This privilege is only required to enable collections from Google Workspace Groups and it can be omitted. Doing so will disable Groups collections on behalf of this user account.

Google data sources

Once you complete setting up a Google admin and user account, you can configure Google data sources in RelativityOne.

Once in RelativityOne, you can connect the following Google data sources: