You can configure CloudM Manage to archive a user's Vault data as part of an Offboarding Workflow. The data will be indexed in the same way as other archived data, and will be displayed under a "Vault" label.
Please note that, due to Google Export Quota limitations (limiting archiving to 1-2 users / threads at a time), you will need to set up multiple Google Cloud Platform projects to archive multiple users at once.
Set up a Google Cloud Platform Project
This method uses a Powershell script to automate the majority of the process. It is easier and quicker than the full manual process, and less prone to error.
Before you start, you will need:
- An account in GCP with permissions to create a project (resourcemanager.projects.create role) or owner on existing project,
- The ability to run Powershell Script as Administrator,
- A browser window open and authenticated into the GCP tenant. This must be the last browser tab you have used.
To run the Powershell:
- Install Google Cloud SDK using the instructions provided by Google here,
- Ensure that the Google Cloud SDK is initialized by running the “gcloud init” command, and follow the instructions.
- Once Google Cloud SDK has finished initializing, download the GCP_Storage_Configuration.ps1 file (attached) to your desktop.
- Click on your Desktop Search icon (next to the Start Icon) and search for Windows Powershell.
- Select Run as Administrator.
- On the GCP_Vault_Configuration.ps1 file, select Shift and right click. Select Copy as Path.
- In the Windows Powershell window, enter CD and a space, select paste and then click the up button on your keyboard until you see the first half of the file path and select enter. It will look similar to:
- CD C:\Users\(your name)\Desktop
- On the next line, click the up button on your keyboard until you see the second half of the file path and select enter. It will look similar to.
- & ‘.\GCP_Vault_Configuration.ps1.
- On the Project ID line, enter a unique Project ID name.
- ProjectId must be a unique string of 6 to 30 lowercase letters, digits, or hyphens. It must start with a lower case letter, followed by one or more lower case alphanumerical characters that can be separated by hyphens. It cannot have a trailing hyphen.
- On the Service Account ID line, enter a unique Service Account name. You can use the same name as the Project ID, or use the same naming conventions.
- Now, on the Output Path line, specify where the JSON Key and Log will be exported to on your computer (e.g. C:\\CloudM GCPVaultConfig).
- The Powershell will run and provide the following details manual instructions that you must carry out.
- For Step 1 - Service Account Domain Wide Delegation, copy the displayed URL in the Powershell window and paste into a browser.
- On the Service Accounts screen, click on the down arrow before SHOW DOMAIN-WIDE DELEGATION, check the Enable G Suite domain-wide delegation checkbox and select Save.
- For Step 2 - Configure Google Workspace Domain Wide Delegation using the following ClientId and Scopes, copy the displayed URL in the Powershell window and paste into a browser.
- On the Security > API Controls > Domain-wide Delegation screen, select Add new to display the Add a new client ID pop-up box.
- Copy and paste the Client ID and OAuth Scopes from the Powershell window into the specified fields and select AUTHORIZE.
- Now, in Step 3 - Service Account details for use in CloudM Migrate, copy the Service account email address that you need later when configuring the platform in CloudM Migrate.
- The JSON key file that you will also need when configuring the platform in CloudM Migrate can be found in C:\CloudM\GCPVaultConfig, along with a gcp_vault log for the process.
Add a project in Archive
- In CloudM Manage, navigate to Archive > Vault Configuration.
- Select + Add project configuration.
- Upload the Service Account JSON key into the Service Account for Google Vault Access field.
- Enter the email address of an administrator in the Admin email field.
- Select Test Connection to check that connection has been successful.
- Select Save.
- The project name will be displayed, tabbed at the top of the screen.
Add the Archive Vault step to an Offboarding Workflow
The following instructions assume that the Archive Vault step will be added to an existing offboarding workflow, and can be added in addition to the standard Archive step. Please refer to the Offboarding Workflows article on our Knowledge Base for more information on other steps that can be added.
To add the Vault Archive step to an offboarding workflow:
- Sign into CloudM Manage.
- Click on Administrate > Offboarding Workflow
- Select the Root Organizational Unit (listed at the top of the list and denoted with an office block icon) or a child OU listed below the Root OU
- If you want to apply the Archive Vault step to a Smart Team, select the Smart Team tab and click on the required Smart Team.
- If you have selected a Smart Team, ensure that the workflow is set to Enable so that the policy will take precedence over the user’s Organizational Unit policy.