Google Workspace Read-Only Integration

Overview

This guide walks you through integrating Ocean into your Google Workspace environment in read-only mode. During the Proof of Concept (PoC), Ocean analyzes and reports on threats without taking active remediation actions, allowing your organization to evaluate our capabilities while retaining full operational control.

A Google Workspace administrator account is required to complete this integration.

Deployment Overview

Ocean’s email security platform integrates with Google Workspace via native APIs, requiring no rules and no changes to your email routing or infrastructure. During the PoC:

No emails are quarantined, blocked, or deleted
Detected threats appear in the Ocean dashboard
Security teams have full control over review and handling

Active enforcement can be enabled after a successful PoC.

Integration Steps

Before starting, Ocean’s team will provide you with a link to the integration wizard.

Confirm Admin Permissions

Before continuing, ensure you have Admin permissions in Google Workspace.Click “Yes, I’m an admin” to begin the integration.

Select Email Provider

Choose Google Workspace to proceed with the integration.

Review Permissions

Review the read-only API permissions Ocean requires. See the Permissions Reference section below for detailed information about each permission.Click “Next” to proceed.

Configure Domain-wide Delegation

Click on Domain-wide Delegation. You will be redirected to Google Workspace.Log in with a Google Workspace administrator account.

In the Domain-wide Delegation tab, click the “Add New” button to start the authorization process.

Enter Ocean's Information

Copy the Client ID from the integration wizard and paste it in the Google form under “Client ID”
Copy the list of OAuth scopes from the integration wizard and paste it into the Google form under “OAuth scopes (comma-delimited)”

The Client ID shown in the integration wizard is unique to your organization. Do not use example IDs from documentation.

After entering the required information, click “Authorize” to grant the necessary permissions to Ocean.

Enter Google Workspace Information

Click on the Profile Info Page link in the wizard

Copy the Customer ID value and paste it in the relevant field
Copy the Primary admin email value and paste it in the relevant field

Click “Next” to complete the integration.

Wait for Approval

Your part in the process is complete. The Ocean application is now awaiting approval from Google.

Approval usually takes a few minutes but may take up to a few hours. Once approved, Ocean will begin the learning phase and you’ll receive access to the system.

Permissions Reference

Ocean requires the following read-only Google Workspace permissions during the Proof of Concept (PoC). These permissions allow our AI to build context, understand communication patterns, and accurately identify potential threats.

All permissions are read-only. Ocean cannot modify, delete, or send emails during the PoC phase.

Mailbox Access

Read mail in all mailboxes

Scope: gmail.readonlyPurpose: Allows the application to read emails in all mailboxes without requiring a signed-in user.Why it’s needed: Ocean analyzes email content to detect phishing attempts, financial fraud, and impersonation attacks. This permission enables comprehensive threat detection across your organization.

Access mailbox metadata

Scope: gmail.metadataPurpose: Enables the application to access users’ mailbox settings and filters without needing a signed-in user.Why it’s needed: Understanding mailbox configuration helps Ocean identify anomalies and potential security misconfigurations that could be exploited by attackers.

Read contacts for all mailboxes

Scope: contacts.readonlyPurpose: Allows the application to read all contacts in users’ mailboxes without requiring them to be signed in.Why it’s needed: Contact information helps Ocean’s AI understand legitimate communication patterns and detect impersonation attempts where attackers pose as known contacts.

Directory Access

Read a list of all users

Scopes:

admin.directory.user.readonly
admin.directory.orgunit.readonly
admin.directory.group.readonly

Purpose: These permissions allow the application to read the full set of profile properties, groups, reports, and managers of other users within the organization.Why it’s needed: Understanding your organizational structure helps Ocean detect business email compromise (BEC) attacks, where attackers impersonate executives or colleagues. Knowing reporting relationships allows detection of unusual requests that bypass normal chains of command.

Read a list of domains

Scopes:

admin.directory.domain.readonly
admin.directory.customer.readonly

Purpose: Allows the application to read your Google Workspace setup, including company domains and aliases.Why it’s needed: Comprehensive domain awareness ensures Ocean can identify all legitimate email addresses for your organization and detect lookalike domain attacks where attackers use domains that closely resemble yours.

Activity and Reporting

Read login activity

Scope: admin.reports.audit.readonlyPurpose: Allows the application to access activity and usage reports for Google Workspace services, including user sign-in activities.Why it’s needed: Login activity data helps Ocean correlate email threats with potential account compromise indicators, such as logins from unusual locations or devices.

Read usage activity

Scope: admin.reports.usage.readonlyPurpose: Allows the application to access activity and usage reports for Google Workspace services.Why it’s needed: Usage patterns help establish behavioral baselines, making it easier to detect anomalous activity that could indicate a compromised account or insider threat.

Security and Alerts

Read Conditional Access policies

Scope: Policy.Read.AllPurpose: Provides visibility into tenant-level access controls.Why it’s needed: Understanding your existing security policies allows Ocean’s AI to evaluate policy context and determine whether threats are attempting to bypass your safeguards.

Read alerts for Google Workspace

Scope: apps.alertsPurpose: Allows the application to read alerts generated by Google Workspace, such as messages reported as phishing by users.Why it’s needed: Integrating with Google’s native alerting system allows Ocean to correlate its detections with user-reported phishing attempts and other Google-generated security alerts for comprehensive threat visibility.

OAuth Scopes Summary

Below is the complete list of OAuth scopes required for the integration:

https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.metadata
https://www.googleapis.com/auth/contacts.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/admin.directory.customer.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://www.googleapis.com/auth/apps.alerts

Frequently Asked Questions

Do I need to change DNS records, route email flow, or any other settings?

No configurations are required. The only necessary step is to provide your organization’s Tenant ID and authorize the Ocean application as this guide outlines.

Will Ocean interfere with delivery to employees?

No, unlike email gateways, Ocean does not route, or intercept emails between the internet and Google Workspace. Our system operates without adding any delay to email delivery.

Will business operations be affected if Ocean services are unavailable or removed?

No, the delivery of emails will remain unaffected even if Ocean services are temporarily unavailable.

Will Ocean delete, move, or change emails?

The initial POC of Ocean operates in passive, read-only mode without interfering with existing email systems. While Ocean’s core platform is designed to auto-remediate threats, these capabilities remain disabled during the POC phase and require write permissions to enable.

Will Ocean impact other email security systems?

No, the initial Proof of Concept (PoC) of Ocean operates without interfering with other email security systems. It operates in passive analysis mode to detect emails that pass through existing protection layers.

How do I revoke Ocean's access?

You can revoke access at any time through the Google Workspace Admin Console by removing the domain-wide delegation entry for Ocean’s Client ID.

Is any configuration or setup required after the integration?

No, Ocean automatically adapts to your email environment and behavior, beginning threat detection without additional setup.

Is any maintenance or support required from the IT team?

No, our AI continuously learns and adapts to your organization’s needs, providing highly accurate protection for your employees’ inboxes. It operates autonomously, ensuring security while offering detailed and clear insights, without requiring ongoing maintenance or support from your IT team.

Need Help?

If you encounter any issues during the integration process, contact Ocean’s support team for assistance.

​Overview

​Deployment Overview

​Integration Steps

​Permissions Reference

​Mailbox Access

​Directory Access

​Activity and Reporting

​Security and Alerts

​OAuth Scopes Summary

​Frequently Asked Questions

​Need Help?

Overview

Deployment Overview

Integration Steps

Permissions Reference

Mailbox Access

Directory Access

Activity and Reporting

Security and Alerts

OAuth Scopes Summary

Frequently Asked Questions

Need Help?