• Direct Connections

• Proxy Connections

• Data Inventory

• Data Inventory Sanitized version

General information about Google Workspace Proxy Connections

The following table(s) contains detailed examples of the metadata fields available from the Google Calendar API endpoints Worklytics leverages. In order to pseudonymize and sanitize PII and other potentially sensitive data, Worklytics provides access to a Data Loss Prevention (DLP) Proxy, which allows customers to pre-filter metadata, within customer infrastructure, before it is sent to Worklytics for processing.

These are the fields Worklytics recommends but the Worklytics DLP Proxy provides full field-level control and therefore any field may be removed or sanitized.

Field descriptions are taken from third party API documentation, these are maintained on a best effort basis and Worklytics can not guarantee their indefinite accuracy. Please refer to the source API site for the most up-to-date documentation.

To see only the fully sanitized version of this document, click here.

Worklytics requires access to the following API primary endpoints:

Setting

API docs: https://developers.google.com/calendar/api/v3/reference/settings#resource

DLP Proxy docs: Google Calendar

Event

API docs: https://developers.google.com/calendar/api/v3/reference/events#resource

DLP Proxy docs: Google Calendar

Calendar

API docs: https://developers.google.com/calendar/api/v3/reference/calendars#resource

DLP Proxy docs: Google Calendar

Events

API docs: https://developers.google.com/calendar/api/v3/reference/events

DLP Proxy docs: Google Calendar

CalendarList

API docs: https://developers.google.com/calendar/api/v3/reference/calendarList#resource

DLP Proxy docs: Google Calendar

Background

The Worklytics platform collects and analyzes workplace data at the instruction of Customer Organizations on their behalf, in accordance with our , , and any customer agreement / laws / regulations which may supersede those terms. The Customer Organization remains the controller of this data and may instruct Worklytics to halt processing and destroy it at any time.

“Data Connectors” conceptualize the collection of workplace data, representing the connection via which Worklytics will collect data from a single data source.

Connection Approaches

We offer three approaches for connecting a Google Workspace organization (tenant) to the Worklytics platform for analysis:

1. authorization via the . To perform this authorization, an admin of the organization must "install" the Worklytics application listing from the marketplace.

2. authorization via the - To perform this authorization, an admin of the organization perform a Domain-wide Delegation grant to a Client ID of Worklytics.

3. authorization via Google Service Account provided by customer organization - To perform this authorization, the Customer organization must provision a service account in Google Cloud Platform, authorize that service account to access its Workspace data via Domain-wide Delegation, and make a grant (via Google Cloud PLatform IAM) a Worklytics service account permission to impersonate that service account.

The Worklytics web application provides detailed instructions to walk admins through each method for each type of Google Workspace data. Options (2) and (3) are not shown in the web interface by default; please contact Worklytics to enable them for your organization. Option (1) is appropriate for many organizations. Option (2) provides more granular control for customers who are comfortable performing OAuth grants via the Admin Console. Option (3) is substantially more complex, but provides allows for additional logging/monitoring via the customers own Google Cloud Platform infrastructure, which may be desirable. It is recommended only for customers who are already users of Google Cloud Platform are comfortable managing such infrastructure.

How Worklytics Uses Google Workspace Data

The following are some examples of how we use this data:

• email address / personal info - Worklytics uses the email address and personal info (eg, name, profile photo, identity information) of your Google Workspace account and those of users within your Google Workspace organization to 1) provide single-sign-on functionality (SSO), 2) show your name/photo/email to yourself and other members of your organization, 3) match your G Suite identity to other workplace applications.

• Google Workspace Directory data - Worklytics processes directory data for persons and groups (mailing lists, roles, org units, domains, etc) to provide workplace and people analytics services. This data is used to match persons’ identities in Google Workspace with other data sources; to provide groupings of persons for analytics proposes; to understand collaboration between and within groups (eg, whether people are on the same team).

• Calendar and events data - Worklytics processes calendar and event data to provide workplace and people analytics services. You may disable this analysis and request deletion of your organization’s Calendar data stored by Worklytics at any time.

• Drive metadata - Worklytics processes meta-data about G Drive files (not content of files themselves) to provideour workplace and people analytics services. You may disable this analysis and request deletion of your organization’s Calendar data stored by Worklytics at any time.

Worklytics provides a “Data Connections” page to control connections to the above G Suite data sources. Additionally, you can contact support@worklytics.co if you require more advanced controls.

Permissions Required

Whatever authorization approach you choose, the following data scopes are generally required

Google Directory:

• View domains related to customers. 'Customer' here refers to you as the customer. This permission is required to retrieve a list of your domains (https://developers.google.com/admin-sdk/directory/v1/reference/domains/list).

• View groups on your domain Groups may be used as a mechanism to filter data from certain sources; as a unit of aggregation in Worklytics reporting and analysis; and as a data point regarding employees to understand job function / collaboration.

• View group subscriptions on your domain This is the permission that allows us to actually see the group's membership - not just it's name/email addresses/etc.

• View delegated admin roles for your domain Roles may be used as a mechanism to

• View organization units on your domain Organization units may be used as a mechanism to filter data from certain sources; as a unit of aggregation in Worklytics reporting and analysis; and as a data point regarding employees to understand job function / collaboration.

• View delegated admin roles for your domain Roles may be used as a mechanism to filter data from certain sources; as a unit of aggregation in Worklytics reporting and analysis; and as a data point regarding employees to understand job function / collaboration.

• View user aliases on your domain Google workspace users may be invited to meetings, documents, etc using email addresses other than their primary one. Pulling the list of aliases from the directory allows us to properly match this work to the correct user.

• View users on your domain To iterate Google data sources and match that data with other sources, we need to be able to iterate a list of in scope users and access various information about them.

• View your email address This permission is used to sign users into Worklytics; NOTE that it merely allows us to see the identity of a user from your Google organization that attempts to access Worklytics via Google SSO. Access control settings in Worklytics will still limit what functionality, if any, such users may access within the Worklytics web application.

• See your personal info, including any personal info you've made publicly available. Allows us to retrieve user's names and profile; this is used to correctly personalize the experience of users accessing Worklytics with proper names and profile files that match those in the organization's Google Workspace directory.

Google Calendar:

• View your calendars is used to retrieve events, including information such as time, place, mechanism (eg in-person v video chat), attendees, etc. From this data, metrics such as time spent in meetings, collaborators, etc are produced.

• View your calendar settings includes time zone / work day information, which is needed to properly compute metrics such as out-of-hours work, day span, etc.

Google Drive:

• View metadata for files in your Google Drive This includes basic information about files and revisions to those files, but not content. It is used to model what files users edited and when, and how those files were shared within the organization (and thus who collaborators are, etc).

Google Chat:

• Audit Log Chat message sending is parsed from the Google Workspace audit log. These logs do not include message content, but may include PII, user IPs, timestamps, etc.

Google Meet:

• Audit Log Participation in Google Meet video conferences is parsed from the Google Workspace audit log. These logs do not include content, but may include PII, user IPs, timestamps, device information, etc.

Advanced Configuration

Google Workspace connectors support several filtering methods, which may be useful to yoru organization. If specified, only data from collections owned Google users who match these filters will be fetched by Worklytics from the Google Workspace source you're connecting do. NOTE: references to employees outside this group may be found within such data, for example if an in scope user invited an out-of-scope user to a meeting. This is necessary to properly compute the collaboration metrics of the in scope user.

Filter Source by Google Group

Some Google Workspace Connectors support limiting data to a subset of your organization's users by specifying a Google group as a setting on the connector. During the connection flow, you may provide the ID or email address of a Google Group; some connectors require that you use the group ID.

Exclude Users by Email Domain

Some Google Workspace Connectors support limiting data to a subset of your organization's users by specifying a domain as a setting on the connector. During the connection flow, you may provide the domain name, which will will be matched against the primary email address of the user in the Google Workspace Directory.