# Access Transparency Activity Collects Access Transparency logs from Google Workspace for auditing when google workspace personnel access your data. **Sync Type: Incremental** ## Requirements Before configuring this input, you need to set up a Google Cloud service account and grant it the necessary permissions in your Google Workspace environment. Follow these steps: 1. **Create a Google Cloud Project**: - Go to the [Google Cloud Console](https://console.cloud.google.com/). - Create a new project or select an existing one. 2. **Enable the Admin SDK API**: - In your project, go to "APIs & Services" > "Library". - Search for "Admin SDK API" and enable it. 3. **Create a Service Account**: - Go to "IAM & Admin" > "Service Accounts". - Click "Create Service Account". - Give it a name and description. - For role, you don't need to grant any roles in Google Cloud. - Click "Create and Continue", then "Done". 4. **Generate a Key for the Service Account**: - In the service account list, click on your new service account. - Go to the "Keys" tab. - Click "Add Key" > "Create new key". - Choose JSON as the key type and click "Create". - Save the downloaded JSON file securely. 5. **Set up Domain-Wide Delegation**: - Go to your [Google Workspace Admin Console](https://admin.google.com/). - Navigate to Security -> Access and Data Control -> API Controls - In the "Domain-wide Delegation" section, click "Add new". - For "Client ID", enter the service account's Client ID (found in the JSON key file). - For scopes, enter: `https://www.googleapis.com/auth/admin.reports.audit.readonly` - Click "Authorize". 6. **Create and Configure an Admin Account**: - In the Google Workspace Admin Console, go to Users. - Click on "Add new user" to create a new account, or select an existing user. - Fill in the required information for the new user. - After creating the user, click on the user's name to access their details. - In the user details page, find the "Admin roles and privileges" section. - Click on "Assign roles". - Navigate to "Admin roles" under the Account section. - Click "Create new role". - Name the role (e.g., "Device Activity Report Reader"). - Under privileges, expand the "Reports" section. - Check the box for "Read" under "Admin Audit Reports". - Save the new role. - Return to the user's details and assign this new custom role. ## Configuration The Google Workspace Access Transparency Activity Input is configured using the following settings: #### Settings | Setting | Type | Required | Description | |---------|------|----------|-------------| | Email | string | Yes | The email address of the Google Workspace admin to impersonate for API calls. | | Backfill Start Time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. | #### Secrets | Secret | Type | Required | Description | |---------|------|----------|-------------| | CredentialsJSON | string | Yes | Base64-encoded JSON credentials of the Google Cloud service account used for authentication. | Remember to keep your service account key confidential and never commit it to version control systems. ## Functionality This input component performs the following actions: 1. Authenticates with Google Workspace using a service account and admin impersonation. 2. Periodically fetches access transparency activity logs. 3. Processes and publishes activity data to the pipeline for further handling. ## Best Practices 1. **Service Account**: Use a dedicated service account for this input. 2. **Least Privilege**: Grant only the necessary permissions to the service account. 3. **Admin Impersonation**: Use a dedicated admin account for impersonation, preferably one with limited permissions. 4. **Credential Security**: Keep the service account JSON key secure and never commit it to version control. 5. **Regular Audits**: Periodically review the service account's access and the impersonated admin's permissions. ## Limitations - The input fetches a maximum of 1000 results per API call. - Historical data availability depends on Google Workspace's retention policies. - API quotas and limits apply as per Google Workspace Admin SDK guidelines. ## Troubleshooting - For authentication errors, verify the service account credentials and Domain-Wide Delegation setup. - If encountering "permission denied" errors, check the impersonated admin's privileges. - No data being fetched could indicate a lack of access transparency activities or logging issues in your Google Workspace. ## Custom Schema Handling If the source data doesn't align with any of the [OpenSecurityControlFramework (OSCF) schemas](https://schema.ocsf.io/), you can create a custom transformation using our JQ transform pipeline. For example: ```jq { metadata: { schema_version: "1.0.0", custom_framework: "my_framework" }, controls: .[] } ``` For more information on JQ and how to write your own JQ transformations see the JQ docs [here](https://jqlang.github.io/jq/). If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at [support@monad.com](mailto:support@monad.com). We're always looking to expand our coverage of security control frameworks based on community needs. ## Sample Record ```json { "actor": { "callerType": "USER", "email": "john.williams@test.com", "profileId": "36d93fb6-65e9-5b78-be91-6a9138cdb8e8" }, "etag": "\"etag_example\"", "events": [ { "name": "ACCESS", "parameters": [ { "name": "ACCESS_APPROVAL_ALERT_CENTER_IDS", "value": "8182bc40-d218-a49d-8406-0809f2b3aa71" }, { "name": "ACCESS_APPROVAL_REQUEST_IDS", "value": "14c13172-755a-1216-5338-cf558c4c052e" }, { "name": "ACCESS_MANAGEMENT_POLICY", "value": "POLICY_12345" }, { "name": "ACTOR_HOME_OFFICE", "value": "US" }, { "name": "GSUITE_PRODUCT_NAME", "value": "DRIVE" }, { "name": "JUSTIFICATIONS", "value": "Customer Initiated Support - Case Number: 6" }, { "name": "LOG_ID", "value": "7a6a6aae-fd5b-dbd7-566a-f11635c80c74" }, { "name": "ON_BEHALF_OF", "value": "tom.brown@sample.org" }, { "name": "OWNER_EMAIL", "value": "john.smith@mail.com" }, { "name": "RESOURCE_NAME", "value": "projects/1234567890/locations/us/datasets/507ed2bb-2fe7-8164-91af-09f05d4a7802" }, { "name": "TICKETS", "value": "GS-0" } ], "type": "GSUITE_RESOURCE" } ], "id": { "applicationName": "access_transparency", "customerId": "C0q2w3e4r", "time": "2025-09-12T16:28:51.732125Z", "uniqueQualifier": "c89f8942-4337-713a-c6dd-367d27ec88b3" }, "ipAddress": "120.64.195.233", "kind": "admin#reports#activity" } ```