Google Workspace preservation source

This topic provides details on how to configure and capture Google Workspace Gmail, Drive, Chats, and Groups data with the Preservation in Place app.

See these related topics:

Considerations

Consider the following when using the Google Workspace data spirce:

  • This data source cannot preserve Google Groups.
  • Inactive user data cannot be preserved. For more information, see Google's documentation.

Requirements

Before setting up a Google Workspace preservation, you must complete the following:

  1. Create a Google Cloud project.
  2. Enable required APIs for the project.
    • Google Vault API
    • Admin SDK API
    • Cloud Storage API
  3. Set up OAuth2 consent screen.
  4. Create credentials.
  5. Create admin role for Vault API.
  6. Create admin role for the user accounts listing.
  7. Create admin role for the groups listing.
  8. Enable required privileges.

After completing these required steps, you can create a Google Workspace data source in RelativityOne.

Setting up a Google data source

Connecting your Google Workspace to Preservation takes some setup in both Google and Relativity. Begin with the credential setup in Google.

Create a Google Cloud project

Create a Google Cloud project to create, enable, and use all Google Cloud services. You will use this account to manage APIs.

To create a Google Cloud project:

  1. Open the Cloud Resource Manager page, then click Create Project.
  2. Enter information into the fields:
    • Project name—enter a descriptive name for your project.
    • Organization—enter the name of your organization.
    • Location—enter the parent organization or folder.
  3. Click Create.

The New Project modal iin Google Cloud Platform.

Enable required APIs for the project

Continuing in this process, you now need to enable the required Google Cloud Console APIs and associate them to a new project.

To start enabling APIs:

  1. In the Google Cloud Console, select the newly created project.
  2. In the left-navigation menu, select API & Services > Library.

    Highlight of the APIs & Services submenu and highlight of Library.

    This will open up the Library page that includes all available APIs.
  3. Enter Google Vault API in the search bar and search.
  4. Click the Google Vault API option, then click Enable.
  5. In the top left corner, click the Back arrow icon.
    This will take you back to the search results page with the search bar.
  6. Enter Admin SDK API in the search bar and search.
  7. Click the Admin SDK API option, then click Enable.
  8. In the top left corner, click the Back arrow icon.
    This will take you back to the search results page with the search bar.
  9. Enter Cloud Storage API in the search bar and search.
  10. Click the Cloud Storage API option, then click Enable.
    The Cloud Storage API option.
    Note: This API may be enabled by default.

Set up OAuth2 consent screen

Follow the steps below to create an OAuth2 consent screen.

  1. Open Google Cloud Console and select newly created project.
  2. Click on the Navigation menu.
  3. Select APIs & Services > OAuth consent screen.
  4. Select Internal type and click Create.
    The API & Service OAuth consent screen.
  5. Enter descriptive App name. For example, Relativity Preservation.
  6. Enter a User support email from within your organization.
  7. Enter relativity.one as Authorized Domain.
  8. Enter an email from within your organization in the Developer Contact Information field.
  9. Click Save and Continue.

On the next step, you will want to add scopes.

  1. Click Add or remove scopes.
  2. Enter filter and select https://www.googleapis.com/auth/ediscovery or enter it in a text box.
  3. Click Update.
  4. Click Save and Continue.

Create credentials

  1. Click the navigation menu (The menu icon.) in the top left corner.
  2. Hover over APIs & Services > Credentials.
  3. Click Create Credentials.
  4. Click OAuth Client ID credentials.
  5. Enter the following information in the fields:
    • Application type—select Web application.
    • Name—enter a name for the credentials.
    • Authorized redirect URIs—enter the URL based on the RelativityOne Data Center Geo you intend to run collections from.
      • For example, https://{InstanceURL}/Relativity.REST/api/Preservations/v1/Sources/workspace/{WorkspaceID}/GoogleVault/HandleAuthenticationRedirect.
      • When the {InstanceURL} is a Relativity instance URL and {WorkspaceID} is the Relativity workspace artifact ID where you are setting up the data source.
  6. Click Create.

After clicking Create, you will have your Client ID and Client Secret. You will need to use them when creating the new data source under Create the Google Workspace data source.

The OAuth client created confirmation screen with Your Client ID and Your Client Secret fields.

Google Workspace user account setup

A Preservation hold requires a user account on which behalf Relativity exports data. This can be a dedicated or an existing user account.

Create admin role for Vault API

  1. Open the Google Admin page.
  2. Click Account > Admin roles to open the up the page.
  3. Click Create New Role.
  4. Enter the role name. Relativity suggests Relativity Preservation.
  5. Click Continue to select privileges.
  6. Select the following privileges:
    • Services - Google Vault > Manage Matters
    • Services - Google Vault > Manage Holds

Select the Google Vault services.

  1. Click Continue.
  2. Click Create Role.

Create admin role for the user accounts listing

  1. Open the Googe Admin page.
  2. Click Account > Admin roles to open the up the page.
  3. Click Create New Role.
  4. Enter the role name. Relativity suggests Users Reader for Preservation.
  5. Click Continue.
  6. Select the Admin API privileges - Users > Read privilege.
  7. Click Continue.
  8. Click Create Role.

Create admin role for the groups listing

  1. Open the Google Admin page.
  2. Click Account>Admin roles to open the up the page.
  3. Click Create New Role.
  4. Enter the role name. Relativity suggests Groups Reader for Preservation.
  5. Click Continue.
  6. Select the Admin API privileges - Groups > Read privilege.
  7. Click Continue.
  8. Click Create Role.

Enable required privileges

  1. Open the Google Admin page.
  2. Navigate to Directory > Users to open the list of users.
  3. Select or create the user you want to use.
  4. Select and expand the Admin roles and privileges pane.
  5. Assign the following roles to the user in All organizational units scope:
    • Relativity Preservation
    • Users Reader for Preservation
    • Groups Reader for Preservation

Enable the required preservation privileges in Google Admin.

Create the Google Workspace data source

There are specific steps to connect Google Workspace to Relativity when creating the Preservation data source. To set up the Google Workspace data source, you must enable API access with Google Workspace and then complete the data source settings in Relativity.

After confirming that your Discover APIs are enabled, complete the set up process in Relativity.

To add the Google Workspace data source, follow the steps below:

  1. Within the Preservation application, navigate to the Preservation Data Source tab.
  2. Click the New Preservation Data Source button.
  1. Complete the Google Vault fields. For more information, see Google Workspace user account setup.
  2. This is required for setting up the Google Vault Data Source. For more information, see Create credentials.
  3. Click Save.
  4. Enter in a unique name for the data source in the Name field.
    The preservation data source page for Google Vault.
  5. After saving, confirm that four services were created and linked to the data source. One for each of the following:
    1. Gmail
    2. Google Chat
    3. Google Drive
  1. The status at the top of the page should read, “The user has never authenticated and must authenticate.”
  2. Click the Authenticate button in the right pane.
  3. Select or sign in to the Google account on which behalf preservations will be performed. For more information, see Google Workspace user account setup.
The Choose an account screen.
  1. If authentication is successful, you will see the following message:
Success message.
  1. Close the window the successful authentication window.
  2. Click the Re-Validate Authentication button in the right pane on the Preservation Data Source that you created. You should see the following status, “The user credentials are authenticated and ready to use.”

The user credentials confirmation banner.

Preservation data source fields

You must add Google-specific data into the fields in the Default Category during the creation of a Google Workspace data source.

  • Name—enter a unique name for this preservation data source.
  • Source Type—select a Google Workspace data source.
  • Entity ID Field—select an entity type.
  • Client ID—enter the Client Id copied from Google’s OAuth2 credentials page.
  • Client Secret—enter Client Secret copied from Google’s OAuth2 credentials page. For more information, see Create credentials.

After saving, confirm that four services were created and linked to the data source.

Data source details

Each data source details page includes a console to complete actions. Each data source has different actions.

For Google Vault:

  • Authenticate—click to authenticate the client ID and client secret with Google.
  • Re-validate authentication—click to re-authenticate the client ID and client secret with Google.

The preservation data source layout with Google Vault details.