Google G Suite Activity Reports FAQ
Use these frequently asked questions and answers to help you understand Google G Suite Activity Reports.
- Why does the service account need domain-wide read access?
- Why does the user account need reports access?
- Why does Google G Suite Activity Reports use service accounts to authorize access instead of other authentication methods?
- What types of events are collected by the Google G Suite Activity Reports API?
- Why do you need a user account if you have service account credentials?
- What does a standard Service Account Credentials file look like?
- What host and ports are used by this protocol?
- Are there any alternatives to the officially documented authorization method?
Why does the service account need domain-wide read access?
The domain-wide read access allows the service account to impersonate a user. Without domain-wide read access, the service account is unable to obtain reports access.
Why does the user account need reports access?
The events that the Google Activity Reports protocol retrieves all come from the reports function of Google Admin. This access is required to retrieve any events from the Google Activity Reports API.
Why does Google G Suite Activity Reports use service accounts to authorize access instead of other authentication methods?
The following document contains a section that is named “Service accounts,” which explains in detail the difference between service accounts and other methods of authorization. Service accounts are different from other methods of authorization because they can act without requiring user consent. Service accounts are intended for server to server communications. For more information, see Using OAuth 2.0 to Access Google APIs (https://developers.google.com/identity/protocols/OAuth2).
What types of events are collected by the Google G Suite Activity Reports API?
This protocol collects only admin, user accounts, login, and drive events. These events are detailed in the reports section of the G Suite Admin SDK Activities list (https://developers.google.com/admin-sdk/reports/v1/reference/activities/list).
Why do you need a user account if you have service account credentials?
For a service account to have access to the reports API it needs to impersonate an existing user. For more information, see domain-wide delegation (https://developers.google.com/admin-sdk/directory/v1/guides/delegation).
What does a standard Service Account Credentials file look like?
{
"type": "service_account",
"project_id": “”,
"private_key_id": "",
"private_key": "-----BEGIN PRIVATE KEY-----\n=\n-----END PRIVATE KEY-----\n",
"client_email": "",
"client_id": "",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": ""
}
What host and ports are used by this protocol?
The following hosts and ports are used by this protocol:
Host | Description |
---|---|
oauth2.googleapis.com:443 | Authentication server used by Google to authenticate API access. |
googleapis.com:443 | Googles API server. Used to access the Google G Suite Activity Reports API. |
Are there any alternatives to the officially documented authorization method?
The Google G Suite Activity Reports API requires both a user account and a service account. Due to these restrictions, it is not possible to delegate the required permissions to just the service account or just the user account. If the offered authorization method is not satisfactory, contact IBM Support.