Set up a Cloud Connection to Enable Google Vault Data Preservations

This article covers the steps you take, both within Google and within Everlaw, to set up your team to create Google Vault data preservations within Everlaw.

For organizations that use Google Vault to preserve business communications and data related to legal matters, this setup allows designated users to create those preservations within Everlaw, without requiring specific permissions within your Google organization.

To learn how to create and manage a Google Vault data preservation with Everlaw, see Create and Manage Google Vault Data Preservations. 

Requirements

Google Vault is available to organizations that use Google Workspace. You can learn more about Google Vault in Google's documentation.

The following roles and permissions are required to complete the steps in this article:

• Google: Most of the setup steps in this article require that you have the Google Super Admin role within your Google organization
• Everlaw: The setup steps within Everlaw require that you have Cloud Admin permission within Everlaw

Overview of setting up the Cloud organization for Google Vault

To get set up for users to create Google Vault preservations, there are three steps to take within Google, and three steps to take within Everlaw. An overview is included here, and the sections below have more details about each step.

Within Google, a Super Admin needs to:

1. Export the users. This gets uploaded to Everlaw as a directory, so that you can select the appropriate custodians when creating a data preservation.
2. Set up a domain-wide delegation. This allows Everlaw the appropriate access to Google Vault.
3. Set up an Everlaw Service Account. This is the account that users in Everlaw will connect to to create the data preservations within Google Vault.

Within Everlaw:

1. A Cloud Admin (or Organization Admin) who is also a Super Admin in Google connects their Google Cloud organization to Everlaw.
2. This same Cloud Admin adds at least one Everlaw Organization Admin or Legal Holds Admin to the cloud organization. Users added here will be able to create Google Vault data preservations from within Everlaw, using the service account created within Google.
3. An Everlaw Legal Holds Admin or Everlaw Organization Admin creates a static directory using the  exported user list from Google Vault.

Setup steps within Google

These steps happen in Google.

Requirements: You must be a Super Admin in Google to complete these steps

Step 1: Export user list

The user list you export in this step becomes a directory within Everlaw. A directory in Everlaw that accurately reflects your custodians' Google details (name and email, in particular) is necessary when creating a data preservation, since it allows you to select the appropriate custodians and match their email addresses and user IDs with the data to preserve within Google.

To create the directory, you download your user list from Google, and later upload it to Everlaw. 

Follow the instructions from Google to download a list of users. Select CSV format for your download.

The instructions for creating a directory are in Step 1 of the Everlaw setup

Step 2: Domain-wide delegation

Domain-wide delegation allows your Google organization to form a connection with Everlaw. To set up domain-wide delegation, follow the Control API access with domain-wide delegation article from Google.

The following information is required from Everlaw: 

• The client ID, provided in-platform. To access it, go to Organization home > Cloud Management > Data preservations. On the Google Vault tab, select + Add Google organization. It's displayed in the Client ID  field of the setup dialog.
  
• The OAuth scopes are:
  • https://www.googleapis.com/auth/ediscovery,
  • https://www.googleapis.com/auth/admin.directory.user.readonly,
  • https://www.googleapis.com/auth/admin.directory.group.readonly

Step 3:  Create an Everlaw service account

The final setup step within Google is to create an Everlaw service account. This is an account that you create and authorize to create data preservations. Once you create it and complete the setup in Everlaw, designated Everlaw users will be able to create data preservations using this service account.

To create a service account you create a new custom role, and then create a user and assign them that role.

1. To create a new role, follow the instructions from Google to create a custom role.
   Here are some details:

• You can give the role any name you want, but we recommend something like "Everlaw Vault Service Account," and the description "Allow Everlaw to manage legal holds through this account."

• The privileges for the role should be: 
  • Groups: Read
  • Users: Read
  • Google Vault: View all matters
  • Google Vault: Manage matters
  • Google Vault: Manage holds

2. When you're done creating the custom role, you create a new user with that role. To do so, follow Google's instructions to Add an account for a new user. 

Here are some details: 

• The name can be anything you like, but we suggest Everlaw Vault.
• You must enter the primary email exactly as "everlaw-vault-service-account". The connection will not work if you don't enter this exactly.
  

3.  Once the new user is created, you assign it to the custom role. To do so, follow Google's instructions to assign roles.

Setup steps within Everlaw

These steps happen within Everlaw. They should be done after the Google setup steps. 

The required permissions are described in each section.

Step 1: Connect the Cloud organization

Requirements: To connect the cloud organization, you must be both a Super Admin in your organization's Google organization and either a Cloud Admin or Organization Admin in your Everlaw organization.

To connect the cloud organization:

1. Go to Organization home > Cloud Management > Google Vault.
2. Select  + Add Google organization. This opens a dialog that includes the Client ID for domain wide delegation, which you should already have completed. 
3. Select Continue to move on.
4. You are prompted to log into your Google account and taken to the Add Google organization step.
5. In the Google workspace domain field, enter your domain. The domain is the part that follows your work email address. In the example  "lastname@company.com" "company.com" is the domain.
   
6. Select Done to complete the connection.

Now you have added your Google organization into Everlaw, which forms the connection between them. In the next set of steps, you add users who are delegated to use the connection.

Step 2: Add users

In this set of steps, you delegate users to create data preservations using the connection you set up in step 1. You do this by adding them to your cloud organization.

Requirements: To add users, you must be both a Super Admin in your organization's Google organization and either a Cloud Admin or Organization Admin in your Everlaw organization.

The users you add must be either a Legal Hold Organization Admin or Organization Admin within Everlaw, because they need to access the Legal Holds page to create data preservations. Their specific permissions within your Google organization are not important because they will create the data preservations using the service account created in the Google setup section above.

To add users:

1. On the Organization home > Cloud Management > Google Vault page, select Add users to cloud organization. 
   
   This opens a dialog that will require you to log in with your Google Super Admin account.
2. A dropdown menu lets you select a user to add. As outlined above, any user should be either a Legal Hold Organization Admin or Organization Admin within Everlaw. 
   
3. In the Enter email field, enter the email address of the selected user.
4. [Optional] Continue adding users.
5. When you're done, select Grant access.

Any users you add here, assuming they have the required permissions,  will be able to create Google Vault data preservations.

Step 3: Create the directory

Requirements: The user who creates the directory must be a Legal Holds Organization Admin or an Organization Admin.

Before you can create a data preservation, the potential custodians must be added to an Everlaw directory. You'll use the Users export from Google, described in the Google setup steps as your data source. 

Creating the directory is listed here as Step 3, but can be done any time after the initial Users export from Google is downloaded.

To upload the directory, follow the steps to import a CSV in our Static Legal Hold Directories article.

Once you have created the directory, you are fully set up to start creating Google Vault data preservations.