File Search Google Drive Configuration

ūüďė

Note: File Search requires User Ingestions to map Google Drive user profiles to Moveworks user profiles, and mirror your Google Drive access controls (ACLs). If User Ingestion has not been set up previously, or if this is your first time integrating Google Drive with Moveworks, please contact the Customer Success team for assistance with configuration.

1. Create Google Cloud Project and Grant Scopes to Moveworks

1. Create Google Cloud Project

Note: If you have already configured a Project and Service Account, jump to

  1. Create a Google Cloud Project for Moveworks
    1. Sign into https://console.cloud.google.com/cloud-resource-manager using an account with Google Workspace Super Admin privileges
    2. Click +Create Project
    3. Name the project Moveworks and select the top-level organization OU for your Google Workspace
    4. Click Create
    5. Once completed, click Select Project from Notifications or via Search

2. Grant SDK Scopes to Project

  1. Turn on the Admin SDK and Google Drive APIs for your Google Cloud Project
    1. From the top-left Navigation Menu, click APIs & Services > Enabled APIs & Services.
    2. Click +Enable APIs & Services.
    3. Search for each of the following APIs, and select Enable:
      • Admin SDK
      • Google Drive API

3. Create a Service Account and Generate a JSON Web Token

  1. From the top-left Navigation Menu, click APIs & Services > Credentials.

  2. Click +Create Credentials > Service account.

  3. For Service account name, enter Moveworks

  4. (Optional) Enter Service account description, if desired

  5. Click Create and Continue.

  6. Click Done > Save.

  7. Copy the Service Account email. You’ll need this later.

  8. Create the service account key

    1. Select the newly created Service Account.

    2. Copy the Unique ID and save it for later. You’ll need this later.

    3. At the top of the page, click Keys > Add Key > Create new key.

    4. Make sure the key type is set to JSON and click Create.

      You'll get a message that the service account's private key JSON file was downloaded to your computer. Make a note of the file name and where your browser saves it. You’ll need this later.

    5. Click Close on the pop-up window.

4. Add API Scopes to Service Account

  1. Add domain-wide delegated OAuth API scopes to the service account
    1. Sign into your Google Admin Console using an account with Super Admin privileges
    2. Navigate through the following: Menu > Security > Access and data control > API controls > Manage Domain-Wide Delegation.
    3. Click Add New.
    4. In the Client ID field, enter the service account's Unique ID saved in Step 2.
    5. Under OAuth Scopes, grant Moveworks the following scopes:
      1. https://www.googleapis.com/auth/admin.directory.group.readonly
      2. https://www.googleapis.com/auth/admin.directory.user.readonly
      3. https://www.googleapis.com/auth/drive.metadata.readonly
      4. https://www.googleapis.com/auth/drive.readonly
    6. Click Authorize.

5. Add Service Account (or authenticating Admin) to desired Google Drive folders

  1. Log into your Google Drive
  2. Select the Folders and Shared Drives that you wish to ingest files from
  3. Click Add Members.

  1. Add the Service Account email that you created in the earlier steps and select Viewer permission
  2. Uncheck Notify people.
  3. /Click Send.

2. Create Connector #1: Google Suite Connector in Moveworks Setup (Self-Service optional)

In this step, you will need to create the first of two different Google Connectors needed in order to enforce permissions, by uploading your JSON file from the Service Account Auth.

Moveworks is moving towards consolidating into a single Google Connector, but for now requires two.

  1. If working with your Customer Success team to configure, please send the JSON to your Customer Success representative.
  2. Create Google Suite Connector (with Service Account Auth)
    1. In your Moveworks Admin Portal, go to the Connectors tab
    2. Click Create New Connector
    3. Select Google Drive
    4. Select Service Account Auth
    5. Upload into your Connector the JSON that you downloaded previously

3. Create Connector #2: Google Drive Connector in Moveworks Setup (Self-Serve optional)

In this step, you will need to create the second Connector, the Google Drive Connector. This Connector currently requires OAuth2 Refresh Token Auth, and you will need to provide these credentials to your CSE.

Create Google Drive Connector

  1. From the Summary screen, go to the Credentials page


  2. Select + Create Credentials and create a new OAuth client ID.

  3. Select Web application for Application type on the following page.


  4. Add https://www.moveworks.com (or another Moveworks CS-team provided Authorized Redirect URI) as an Authorized redirect URI.

  5. Once complete, a confirmation modal should display your client ID and client secret. Download the JSON file to a secure environment (e.g. your work laptop).

  1. Once you have the JSON file securely stored, set up time with your Moveworks Customer Success team to transfer and authorize the credentials securely.
    The Customer Success Team will then generate a URL (using the JSON file and Redirected URI). You must use the Service Account to authenticate the credentials (3-legged authentication). Any file/folder that this Service Account has access to will be accessible via API using these OAuth credentials.
    1. Or if via Moveworks Setup, add the Credentials and JSON to the Google Drive Connector

3. Configure File Ingestion Steps in Moveworks Self-Serve

  1. In the Moveworks Self-Serve Product, go to the Answers > Ingestions > File Knowledge Screen.
  2. You can now configure your File Ingestion using the Connector you’ve created!
  3. Navigate to the Enterprise Search ‚Üí Answers ‚Üí File Ingestion
  4. Select the Google Drive Connector and **provide a Name** your File ingestion config
  5. Continue to the Ingestion Details page and Specify each Folder, using the Folder IDs
    1. Please double check that you have entered the URLs correctly of the Google Drive folders from which you wish to ingest files from
      1. Copy and paste URLs with the in the following manner:
        1. If the URL of your Google Drive folder is <https://drive.google.com/drive/folders/FOLDERID, then input the FOLDERID
    2. Please double check that each Folder has been shared access with the Service Account that you have built for Moveworks
    3. You can assign a Domain to each Folder, i.e IT, HR, Finance, etc.‚Äď this Domain is used for tagging in Analytics, enabling you to filter Search usage for each of your domains
  6. Input the GSuite Connector as well for Permissions Ingestion
  7. Save the File Ingestions

4. Launch File Search to your employees (if not already)

  1. Refer back to the main File Search Self-Serve guide: File Search Self-Serve ‚ÄstConfiguration Guide.