Cloud Scan integration for Google Workspace

Cloud Scan inspects your cloud storage for concerning content and lets your chosen staff members determine if a photo is safe or if further action is required. This article provides instructions for setting up Cloud Scan integration for Google Workspace.

Before you begin

• Create a user account for Cloud Scan in Google Workspace. This user account will be used only by Cloud Scan and must be able to manage users and groups in Google Workspace (for example, as a Groups Administrator). See Options for adding users.

  Note

  While the Cloud Scan user account has edit permission for users and groups in Google Workspace, Cloud Scan cannot change your Google Directory configuration.

• Keep a copy of the email address used to add the Cloud Scan user account to Google Workspace.
• Assign the Groups Admin role to the new Cloud Scan account in Google Workspace. See Groups Admin.
• Turn on Google Drive for the Cloud Scan user account so it can access Google Drive folders. See Turn a service on or off for Google Workspace users.
• Set up User Groups in the Admin Panel.

Step 1: Set up the integration

1. Sign in to Cloud Portal, then select Admin Panel.
   • Smoothwall: portal.smoothwall.cloud
   • Linewize: portal.linewize.net
2. Select Cloud Scan Integration on the left navigation.

3. Select Set up Integration at the bottom right of the screen.

   Note

   The Set up Integration button is inactive while there is an incomplete integration.

Image 1. Select Set up Integration.

4. Select your storage type (Google), then Confirm your selection.

Step 2: Configure the integration

1. Provide your Google Cloud storage details.
   1. Enter a descriptive name for the integration to distinguish it from other integrations.
   2. Enter the email address of the Cloud Scan user account you created in Google Workspace (see Step 1 of Before you begin).
2. Under Tenants and Groups, select the tenants you want to include in the Cloud Scan integration.
   • Choose All Tenants to automatically add all tenants.
   • Choose Selected tenants to add only certain tenants manually.

Image 2: Select the tenants you want to add to the integration.

3. Assign at least one group specific to the tenant you’ve added.

   Note

   Having tenant-specific groups ensures that only associated schools or organisations can see their groups’ data. See our guide for setting up groups.

Image 3. Add at least one group to each tenant.

4. (Required) Under Safeguarding Contacts, select or enter the name of at least one Safeguarding Contact for each tenant.

   Note

   Safeguarding Contacts can view Cloud Scan results and review and action images for deletion or retention.

5. In Select Scan Scope, choose the scope of your scan:
   • Scan new files - This option lets you bypass all image files uploaded prior to cloud integration. Cloud Scan will only scan images that are uploaded from the date of cloud integration onwards. This option is quicker and more efficient.
   • Scan all files - Cloud Scan will scan all images, including those that were uploaded to the cloud storage prior to the integration. This option can take longer to complete.

Image 4. Select Scan Scope

6. Select Save integration.

   Note

   The Save integration button is disabled (grey) until all mandatory fields (*) are complete.

Step 3: Authorise access to Google Cloud storage

1. Sign in to Google Admin Console: admin.google.com.
2. Go to Security > Access and data control > API controls.
3. Select Manage Domain Wide Delegation, then Add new.
4. Copy the Content Scanning Service Account ID and paste it into the Client ID field. The Content Scanning Service Account ID is auto-generated for each integration.

5. Copy and paste each of the following into an OAuth scopes line. This step allows Cloud Scan to read users and groups, and manage files in Google Drive.

   https://www.googleapis.com/auth/admin.directory.group.readonly
   https://www.googleapis.com/auth/admin.directory.user.readonly
   https://www.googleapis.com/auth/drive

6. Select Authorize.
7. Select your new entry and select View details.
8. Verify the Client ID and the three scopes are displayed.
9. Return to the Cloud Storage Integration screen to complete the integration.

Step 4: Complete the integration

Complete the Cloud Scan integration by running a successful initial scan. You can select Scan now to scan your cloud storage immediately or I’ll do it later and delay the first scan to a later date.

Schedule your first scan

1. Select the I confirm that I have followed the steps and completed the setup checkbox.
2. Select Scan now.
3. On the Start Cloud Scan prompt, select Start Scan. 

Cloud Scan will scan your cloud storage immediately, which can take up to a few hours depending on the number of images.

Delay your first scan

1. On the domain-wide delegation prompt, select I’ll do this later. The “Set up incomplete” indicator will appear for the integration.

Image 4. The “Setup incomplete” indicator appears for the incomplete cloud integration.

2. When you’re ready to scan your cloud storage, select the incomplete cloud integration.
3. Review the Cloud Storage Integration details you entered in Step 2: Configure the integration and select Save Integration.
4. Select the I confirm that I have followed the steps and completed the setup checkbox.
5. Select Start Scan.

Cloud Scan schedules the initial scan to take place within the next 24 hours. Depending on the number of images being scanned, scanning can take a few hours.