The document illustrates three phases for configuring the API permissions and access for working with FortiDLP.

Go to Service accounts - Google developers.

Choose the project to work with or create a new project.

Under the project, go to Service Accounts, and create a Service Account:

Copy the Service Account UniqueID/ClientID.

Add a Key to the service account.

If an error message appears stating 'iam.disableServiceAccountKeyCreation' is active, it means IAM will not allow creation of a service account key.

Go to IAM and choose the Organization Resource. This step is crucial. The configuration change must be made at the organization level and not in the project.

Add 'Organization Policy Administration' to the organization asset.

In the organization unit (mysecurenetwork.org in this example), go to 'Organization Policies'. Look for 'iam.managed.disableServiceAccountKeyCreation'.

Choose the policy and select Manage Policy.

Select Inherit Parent’s Policy.

Return to the Project, go to IAM -> Service Accounts -> Create a service account -> keys, and create the key.

Create a JSON file. Save it for later use in the FortiDLP connector.

Set up permissions for the APIs involved. Go to domain wide delegation - Google Admin.

Alternatively, use the Google Admin Console to navigate to Security -> Access and data Control -> API control -> Manage Domain Wide Delegation.

Create a new API client. Get the client ID from the Service Account from the working project. Add the Client ID and the URIs of the scopes listed below.

Add the following URLs to the URL list: 

https://www.googleapis.com/auth/admin.reports.audit.readonly 

https://www.googleapis.com/auth/admin.reports.usage.readonly 

https://www.googleapis.com/auth/drive.readonly 

https://www.googleapis.com/auth/admin.directory.user.readonly 

https://www.googleapis.com/auth/drive.labels.readonly 

https://www.googleapis.com/auth/drive 

https://www.googleapis.com/auth/admin.directory.group.readonly 

Start with the last configuration phase. Go to https://console.developers.google.com/

Add 'Admin SDK API', 'Google Drive API' and 'Drive Label API'.

The APIs should be listed as follows:

Optional Step: Labels.

If the user already has Label Credentials, skip this step. If the user has no label implemented, follow these instructions:

Go to https://admin.google.com/ac/dc/labels.

Create the label and publish.

Test the JSON file. Go to FortiDLP -> Admin Settings -> Admin -> Google -> Connectors. Add the connector with the following information.

Go to FortiDLP -> Admin Settings -> Admin -> Google -> Directory and add the Google directory.

Go to FortiDLP -> Admin Settings -> Admin -> Google -> Drive Labels. Check the labels sync.

Connector configuration will be complete.