Google Workspace setup

Set up your Google Workspace data source with Collect by creating credentials, setting up a user account, restricting collections, and adding the data source to Collect.

This page contains the following information:

Google Workspace credentials setup

Connecting your Google Workspace to Collect takes some setup in Google and Relativity. Begin with the credential setup in Google.

Creating a Google Cloud project

Create a Google Cloud project to create, enable, and use all Google Cloud services. You will use this account to manage APIs.

To create a Google Cloud project,

  1. Open the Cloud Resource Manager page, click Create Project.

  2. Enter information into the fields:

    • Project name—enter a memorable name for your project.

    • Organization—enter the name of your organization.

    • Location—enter the parent organization or folder.

  3. Click Create.

Enable required APIs for the Project

Continuing in this process, you now need to enable the required Google Cloud Console APIs and associate them to a new project.

To start enabling APIs,

  1. In the Google Cloud Console, select the newly created project.

  2. In the left-navigation menu, select API & Services > Library.


    This will open up the Library page that includes all available APIs.

  3. Enter Google Vault API in the search bar and search.

  4. Click the Google Vault API option.

  5. Click Enable.

  6. In the top left corner, click the Back arrow icon.
    This will take you back to the search results page with the search bar.

  7. Enter Admin SDK API in the search bar and search.

  8. Click the Admin SDK API option.

  9. Click Enable.

  10. In the top left corner, click the Back arrow icon.
    This will take you back to the search results page with the search bar.

  11. Enter Cloud Storage API in the search bar and search.

  12. Click the Cloud Storage API option.

  13. Click Enable.

      Notes: This API may be enabled by default.

Setup OAuth2 consent screen

Follow the steps to create a OAuth2 consent screen.

  1. Open Google Cloud Console and select newly created project.

  2. Click on the Navigation menu.

  3. Select APIs & Services>OAuth consent screen.

  4. Select Internal type.

  5. Click Create.

  6. Enter descriptive App name. For example, Relativity Collect.

  7. Enter a User support email from within your organization.

  8. Enter relativity.one as Authorized Domain.

  9. Enter an email form within your organization in the Developer Contact Information field.

  10. Click Save and Continue.

On the next step, you will want to add scopes.

  1. Click Add or remove scopes.

  2. Enter filter and select required scopes one at a time, or enter them in a text box.
    The scopes are:

    • https://www.googleapis.com/auth/ediscovery

    • https://www.googleapis.com/auth/devstorage.read_only

    • https://www.googleapis.com/auth/admin.directory.user.readonly

    • https://www.googleapis.com/auth/admin.directory.group.readonly

  3. Click Update.

  4. Click Save and Continue.

Create credentials

  1. Click in the top left corner.

  2. Hover over APIs & Services > Credentials.

  3. Click Create Credentials.

  4. Click OAuth Client ID credentials.

  5. Enter the following information in the fields:

    • Application type—select Web application

    • Name—enter a name for the credentials

    • Authorized redirect URIs—enter the URI based on the RelativityOne Data Center Geo you intend to run collections from.

  6. Click Create.

After clicking Create, you will have your Client ID and Client Secret. Add them to the New Collection Source Instance.

Google Workspace user account setup

Collections require user account on which behalf Relativity exports data. This can be a dedicated or an existing user account.

Create admin role for Vault API

  1. Open the Google Admin page.

  2. Click Account>Admin roles to open the up the page.

  3. Click Create New Role.

  4. Enter the role name. Relativity suggests Relativity Collect.

  5. Click Continue to select privileges.

  6. Select the following privileges:

    • Services - Google Vault > Manage Matters

    • Services - Google Vault > Manage Searches

    • Services - Google Vault > Manage Exports

  7. Click Continue.

  8. Click Create Role.

Create admin role for the user accounts listing

  1. Open the Google Admin page.

  2. Click Account>Admin roles to open the up the page.

  3. Click Create New Role.

  4. Enter the role name. Relativity suggests Users Reader for Collect.

  5. Click Continue.

  6. Select the following privileges

    • Admin API privileges - Users > Read

  7. Click Continue.

  8. Click Create Role.

Create admin role for the groups listing

  1. Open the Google Admin page.

  2. Click Account>Admin roles to open the up the page.

  3. Click Create New Role.

  4. Enter the role name. Relativity suggests Groups Reader for Collect.

  5. Click Continue.

  6. Select the following privileges

    • Admin API privileges - Groups > Read

  7. Click Continue.

  8. Click Create Role.

Enable required privileges

  1. Open the Google Admin page.

  2. Navigate to Directory > Users to open the list of users.
  3. Select or create the user you want to use.
  4. Select and expand Admin roles and privileges pane.

  5. Assign the following roles to the user in All organizational units scope

    • Relativity Collect
    • Users Reader for Collect
    • Groups Reader for Collect

Restricting collections to the selected user accounts

You can restrict collections to the selected group of users by leveraging admin role scoping to organizational units. To limit collections, you will need to create an organizational unit and add the users to the unit. Once created, Collect will only collect data from the users within the organizational unit.

This configuration step is for Google Workspace data sources only and is optional.

Create an organizational unit

An organization unit restricts RelativityOne’s collections only to the selected custodians. Create an organization unit and add selected custodians to the unit so only their information is collected.

To create an organizational unit, open Google admin Console and follow the steps below:

  1. Open Google Admin page.

  2. Navigate to Directory > Organizational Units.

  3. On the Manage organizational units page, click the + icon.

  4. In the Create new organizational unit pop-up menu, enter the Name of organizational unit.

  5. (Optional) Enter description of the organizational unit.

  6. Select the Parent Organization Unit (POU). If this field isn’t populated, add a POU. To create a POU, follow the steps in Google’s documentation.

  7. Click Create.

Once the organizational unit is created, the next step is to add targeted users you want to collect from to the unit.

To add users to the organizational unit, follow the steps below:

  1. Click the navigation menu.
  2. Navigate to Directory > Users.
  3. Select the users who should have collections restricted
  4. Click Change organizational unit.
  5. In the Change organizational unit pop-up menu, select appropriate organizational unit.
  6. Click Continue.
  7. Click Confirm.

You can upload a CSV file to bulk update users. For more information, see Google’s documentation.

Scope user privileges to the organizational unit

  1. Open Google Admin page.

  2. Navigate to Directory > Users.

  3. Select or create a user account.

  4. Select and expand the Admin roles a privileges pane.

  5. Click the pencil icon.

  6. Edit the scope of the role to the appropriate organization unit.

  7. Click Save.

Groups Reader privilege can only be scoped to 'All organizational units'. This privilege is only required to enable collections from Google Workspace Groups and it can be omitted. Doing so will disable Groups collections on behalf of this user account.

Setting up a Google Workspace data source

There are specific steps to connect Google Workspace to Relativity when creating the data source. To set up the Google Workspace data source, you will need to enable API access with Google Workspace and then complete the data source settings in Relativity.

Creating a Google Workspace data source

After confirming that your Discover APIs are enabled, complete the set up process in Relativity.

    Notes: Copy the Refresh Token value you generate in Step 10 and store it in a secure location. It can be used to setup other Google Workspace data sources without the need to create new OAuth2 credentials.

    Google Workspace allows only a single refresh token to be generated for a set of OAuth2 credentials.

To add the Google Workspace data source, follow the steps below:

(Click to expand)

  1. Within the Collect application, navigate to the Collection Admin tab.

  2. Click the New Collection Source Instance button.
  3. Enter in a unique name for the data source.
  4. Select a Google Workspace data source.
  5. In the Settings pane, enter Client Id and Client Secret copied from Google’s OAuth2 credentials page. For more information, see Creating credentials.

  6. Click Generate Code.

  7. Select or sign into Google’s account on which behalf collections will be performed. For more information, see Google Workspace user account setup.

  8. Click Copy Temporary Code to copy to your clipboard.

    Once copied, you can close that window and return back to RelativityOne.

  9. In Collect, paste the code in the Temporary Code field.

  10. Click Generate Refresh Token.

    The access token will be generated and populated in the Refresh Token field below.

      Notes: Copy Refresh Token value and store it in a secure location. It can be used to setup other Google Workspace data sources without the need to create new OAuth2 credentials.
      Google Workspace allows only a single refresh token to be generated for a set of OAuth2 credentials.

  11. Click Save.