Google Workspace data source

This topic provides details on how to capture Google Chats, Drive, Groups, and emails with Collect. Relativity collects Google Drive data using the Vault API.

Note: This documentation contains references to third-party software, or technologies. While efforts are made to keep third-party references updated, the images, documentation, or guidance in this topic may not accurately represent the current behavior or user interfaces of the third-party software. For more considerations regarding third-party software, such as copyright and ownership, see Terms of Use.

Considerations

Consider the following items about this data source:

  • Collection of Calendar is currently unsupported.
  • Google does not have a date range limitation. We recommend limiting the date range of the collection. Extended date ranges can increase collection time and potentially create issues.
  • Google Workspace for Google Chat data is collected into grouped collections, resulting in a different data count compared to standard collections. These grouped collections comprise a set of RSMFs (Relativity Short Message Format) containing all the chats for the assigned custodians.
    • Due to this grouping, it is expected that custodian targets will have identical counts. Essentially, when collecting data from multiple custodian targets, the item counts and sizes for each will match.
    • This uniformity arises because the item count reflects the number of RSMF files generated for the job, while the size reflects the total size of the created RSMF file set.

Task checklist

The table lists the order to perform the necessary tasks for setting up the data source for Collect.

Order Application used Task
1 Google Cloud Google Workspace account setup
2 Google Admin Google Workspace user account setup
3 Collect Creating the data source in Collect
4 Collect Configuring the data source in Collect

Google Workspace account setup

Connecting your Google Workspace to Collect takes some setup in Google and Relativity. Begin with the credential setup in Google.

Creating a Google Cloud project

Create a Google Cloud project to create, enable, and use all Google Cloud services. You will use this account to manage APIs.

To create a Google Cloud project:

  1. Open the Cloud Resource Manager page
  2. Click Create Project.
  3. Enter information into the fields:
    • Project name—enter a memorable name for your project.
    • Organization—enter the name of your organization.
    • Location—enter the parent organization or folder.
  4. Click Create.

Enabling required APIs for the Project

Continuing in this process, you now need to enable the required Google Cloud Console APIs and associate them to a new project.

To start enabling APIs in the Google Cloud Console:

  1. In the Google Cloud Console, select the newly created project.
  2. Enter Google Vault API in the search bar and search.
  3. Click the Google Vault API option.
  4. Click Enable.
    You will then see the Google Vault API/Service Details page.
  5. Enter Admin SDK API in the search bar and search.
  6. Click the Admin SDK API option.
  7. Click Enable.
    You will then see the Admin SDK API/Service Details page.
  8. Enter Cloud Storage API in the search bar and search.
  9. Click the Cloud Storage API option.
    Note: Be sure to choose Cloud Storage API. Cloud Storage API is different than Cloud Storage.
  10. Click Enable if the API is not already enabled by default.

Setting up OAuth2 consent screen

Follow the steps to create a OAuth2 consent screen in Google Cloud Console.

  1. In the Google Cloud Console and select newly created project.
  2. Select APIs & Services>OAuth consent screen.
  3. Click Get started.
  4. Enter the App information.
    • App name—enter a name for the Collect app you're using. For example, Relativity Collect.
    • User support email—select the email address for users to contact you with questions about their consent.
  5. Click Next.
  6. Select Internal audience type and click Next.
  7. Enter an email address in the Contact Information field.
    Google uses this email address to notify you about any changes to your project.
  8. Click Next.
  9. Complete the Finish step by selecting the check box and click Continue.
  10. Click Create.

Your Oauth configuration has been created.

Adding scopes

Next, you must add scopes.

  1. In the Google Cloud Console, navigate to Data Access.
  2. Click Add or remove scopes.
  3. Enter filter and select required scopes one at a time, or enter them in a text box.
    The scopes are:
    • https://www.googleapis.com/auth/ediscovery
      Google Vault API | .../auth/ediscovery | Manage your eDiscovery data
    • https://www.googleapis.com/auth/devstorage.read_only
      BigQuery API | .../auth/devstorage.read_only | View your data in Google Cloud Storage
    • https://www.googleapis.com/auth/admin.directory.user.readonly
      Admin SDK API | .../auth/admin.directory.user.readonly | See info about users on your domain
    • https://www.googleapis.com/auth/admin.directory.group.readonly
      Admin SDK API | .../auth/admin.directory.group.readonly | View groups on your domain
      Updated selected scopes dialog
  4. Click Update.
  5. Click Save.

Your data access changes are then saved.

Creating credentials

Next, create credentials.

  1. In the Google Cloud Console, navigate to APIs & Services > Credentials.
  2. Click Create Credentials.
  3. Click OAuth Client ID credentials.
  4. Enter the following information in the fields:
    • Application type—select Web application.
    • Name—enter a name for the credentials.
    • Authorized redirect URIs—enter the URI (Uniform Resource Identifier) based on the RelativityOne Data Center Geo you intend to run collections from.
    Note: When copying and pasting the URI, please ensure there are no whitespaces or typos in the address, as they will cause a connection failure with Google.
  5. Click Create.

After clicking Create, you will have your Client ID and Client Secret. Copy both of them, because you will need them later when creating the Google data source in Collect.

OAuth client created dialog

Setting reauthentication policy

As an optional step, you will want to configure Google's reauthentication policy as follows:

  1. Open the Google Cloud Console.
  2. Select the newly created project.
  3. Click on the Navigation menu.
  4. Select Security > Access and data control > Google Cloud session control.
  5. On the Google Cloud session control, select a reauthentication policy.
    • Never require reauthentication
    • Require reauthentication. If you select Require authentication, you must also select Exempt Trust apps.
  6. Click Save.

For more information on setting reauthentication policy and the options, see Google's documentation.

Google Workspace user account setup

Collections require user account on which behalf Relativity exports data. This can be a dedicated or an existing user account.

Creating admin role for Vault API

To create the admin role for the Vault API:

  1. Open the Google Admin page.
  2. Click Account>Admin roles to open the up the page.
  3. Click Create New Role.
  4. Enter the role name. We recommend Relativity Collect.
  5. Click Continue to select privileges.
  6. Select the following privileges:
    • Services - Google Vault > Manage Matters
    • Services - Google Vault > Manage Searches
    • Services - Google Vault > Manage Exports
  7. Click Continue.
  8. Click Create Role.

Creating admin role for the user accounts listing

To create the admin role for the users accounts listing:

  1. Open the Google Admin page.
  2. Click Account>Admin roles to open the up the page.
  3. Click Create New Role.
  4. Enter the role name.
    We recommend Users Reader for Collect.
  5. Click Continue.
  6. Select the Admin API privileges - Users > Read privilege.
  7. Click Continue.
  8. Click Create Role.

Creating admin role for the groups listing

To create the admin role for groups listing:

  1. Open the Google Admin page.
  2. Click Account>Admin roles to open the up the page.
  3. Click Create New Role.
  4. Enter the role name.
    We recommend Groups Reader for Collect.
  5. Click Continue.
  6. Select the Admin API privileges - Groups > Read privilege.
  7. Click Continue.
  8. Click Create Role.

Enabling required privileges

To enable required privileges:

  1. Open the Google Admin page.
  2. Navigate to Directory > Users to open the list of users.
  3. Select or create the user you want to use.
  4. Click the Admin roles and privileges pane.
  5. In the Roles section, click the edit pencil icon, or anywhere in the Roles tables.
  6. Assign the following roles to the user in All organizational units scope.
    • Relativity Collect
    • Users Reader for Collect
    • Groups Reader for Collect

Restricting collections to the selected user accounts

You can restrict collections to the selected group of users by leveraging admin role scoping to organizational units.

To limit collections, you will need to create an organizational unit and add the users to the unit. Once created, Collect will only collect data from the users within the organizational unit.

This configuration step is for Google Workspace data sources only and is optional.

Creating an organizational unit and adding users

An organization unit restricts RelativityOne’s collections only to the selected custodians. Create an organization unit and add selected custodians to the unit so only their information is collected.

To create an organizational unit, open Google Admin Console and follow the steps below:

  1. Open the Google Admin page.
  2. Navigate to Directory > Organizational Units.
  3. On the Manage organizational units page, click Create organization unit.
  4. In the Create new organizational unit pop-up menu, enter the Name of organizational unit.
  5. (Optional) Enter description of the organizational unit.
  6. Select the Parent Organization Unit (POU).
    If this field is not populated, add a POU. To create a POU, follow the steps in Google’s documentation.
  7. Click Create.

Once the organizational unit is created, the next step is to add targeted users you want to collect from to the unit.

To add users to the organizational unit, follow the steps below:

  1. Click the navigation menu.
  2. Navigate to Directory > Users.
  3. Select the users who should have collections restricted
  4. Click the More options drop-down menu.
  5. Click Change organizational unit.
  6. In the Change organizational unit pop-up menu, select appropriate organizational unit.
  7. Click Continue.
  8. Click Confirm.

You can upload a .csv file to bulk update users. For more information, see Google’s documentation.

Scope user privileges to the organizational unit

To update the scope of the user's role:

  1. Open the Google Admin page.
  2. Navigate to Directory > Users.
  3. Select or create a user account.
  4. Select and expand the Admin roles and privileges pane.
  5. Click the pencil icon.
  6. Select a Role name to update.
  7. Edit the scope of the role to the appropriate organization unit.
  8. Click Save.

Groups Reader privilege can only be scoped to All organizational units. This privilege is only required to enable collections from Google Workspace Groups and it can be omitted. Doing so will disable Groups collections on behalf of this user account.

Creating the data source in Collect

After completing the steps covered above for Google Workspace account setup and user account setup, you can then configure your first Google data source in the RelativityOne Collect application.

Caution: After generating the Refresh Token in Step 10 below for the first Google data source, be sure to save the token value in a secure location, as it will be needed to set up additional Google data sources. Google only allows one refresh token to be generated. If you attempt to generate another refresh token, it will invalidate the original token, and you will not receive a new one, which will break the data source connection to Google. When setting up additional Google data sources in the Collection application, paste the refresh token value that you saved in a secure location into the refresh token field and click Save.

To add the Google Workspace data source, follow the steps below in RelativityOne:

  1. Navigate to Collection Admin within Collect Admin of Set Up.
  2. Click the New Collection Source Instance button.
  3. In the Data Source Information pane, do the following:
    • Name—enter in a unique name for the data source.
    • Type—select a Google Workspace data source. Chat, Drive, Gmail, or Groups.
  4. In the Settings pane, enter the Client Id and Client Secret copied from Google’s OAuth2 credentials page. For more information, see Creating credentials.
  5. Click Generate Code.
  6. Select or sign into Google’s account on which behalf collections will be performed.
    Choose an account dialog
  7. Click Copy Temporary Code to copy to your clipboard.
  8. Once copied, you can close that window and return back to RelativityOne.
  9. In Collect, paste the code in the Temporary Code field.
  10. Click Generate Refresh Token.
    The access token will be generated and populated in the Refresh Token field. Refer to the Caution above regarding Refresh Tokens.
  11. Click Save.

Configuring the data source in Collect

Add criteria to collect specific data. To configure the data sources, complete the following fields:

  • Select and unselected tabs—choose the data sources to collect from by moving unselected data sources to the selected list.
  • Field—choose the field to filter on within the data source.
    Notes: This field is only required when a calendar source is selected.
  • Operator—choose an operator such as equals, contains, greater than, or less than.
  • Value—enter a value to find in the selected field.

After selecting field options, you must click Add Criteria.

Details to know about criteria:

  • Each criteria is then separated by an AND operator.
  • Leave the data source criteria empty to collect all data from the sources.

Filter a data source's data that you want to collect by adding criteria. This section covers the different criteria for each data source. It also includes what can be searched within each data source. The criteria options change based on the selected data source.

Google Groups

Setting criteria for Google Groups is not required. For more information on Advanced examples, see Google Workspace documentation.

The following table lists the filter criteria support for Google Workspace Groups collections. Setting criteria for Google Workspace Groups is not required. For more information on Advanced examples, see Google Workspace documentation.

Gmail

Setting criteria for Google Drive is not required. For more information on Advanced examples, see Google Workspace documentation.

The following table lists the filter criteria support for Google Workspace Gmail collections. Setting criteria for Google Workspace Gmail is not required. For more information on Advanced examples, see Google Workspace documentation.

Google Drive

Setting criteria for Google Drive is not required. For more information on Advanced examples, see Google Workspace documentation.

Note: Google Vault API usage limits do not permit more than 20 exports to be in progress simultaneously across your entire organization. If you have very large matters and need the maximum to be increased, contact Google for assistance. For more information, refer to Google Vault documentation on usage limits and usage quota increases.

The following table lists the filter criteria support for Google Workspace Drive collections. Setting criteria for Google Workspace Drive is not required. For more information on Advanced examples, see Google Workspace documentation.

Google Chat

Setting criteria for Google Workspace Chat is not required. For more information on Advanced examples, see Google Workspace documentation.

The following table lists the filter criteria support for Google Workspace Chat collections. Google Workspace Chat data is collected in RSMF. For more information, see The Relativity Short Message Format .

Troubleshooting

This table includes troubleshooting for Google's data sources.

Error Cause Resolution
The token is invalid. You must remove access and generate a new refresh token. Your token is invalid. This could be due to changing the account owner. While signed in with your account, navigate to https://myaccount.google.com/u/0/permissions. In the page, click Remove Access. Then generate a new refresh token. For more information on generating a refresh token, see Google Workspace data source