--- title: Google Drive Setup for Enterprise Search deprecated: false hidden: false metadata: keywords: - gdrive - google - drive - search - enterprise - mydrive - private robots: index ---
This page is for the **Google Drive (Next Gen) connector** and it can only be configured within the new enterprise search configuration experience explained below. Please visit [this documentation](/docs/content-integrations) to learn more about Next Gen and Classic connectors. # System Overview Google Drive is your organization’s primary file storage and collaboration platform. From an enterprise search perspective, it is a rich corpus of documents (Docs, Slides, PDFs, etc.) across **Shared Drives**, **My Drive** and **Shared with me**. Moveworks connects to Google Drive to ingest and index content with its metadata and permissions, ensuring users only see results they’re authorized to view. ### Authentication Moveworks supports **two authentication methods**. You will configure **one Moveworks Google Drive connector** using either method based on your requirements. * **OAuth 2.0 – Authorization Code Grant (Recommended)** * Uses a **Custom Super Admin** to authorize Moveworks. * Enables ingestion of **Shared Drives** by default. Private user content (**My Drive** and **Shared with me**) is ingested only after explicit end-user OAuth consent. * Requires a **Client ID** and **Client Secret** from your Google Cloud OAuth app. * **Service Account (without Domain-Wide Delegation)** * Uses a **Service Account key (JSON)** without impersonation. * Ingests Shared Drive files explicitly shared with the Service Account. * Does **not** ingest private user content. ### Permissions Enforcement Moveworks honors Google Drive ACLs end-to-end: * **OAuth 2.0 flow:** * Shared Drive content is ingested under the Custom Super Admin’s access. * **Private content ingestion is opt-in**: A user’s files(**My Drive** and **Shared with me**) are included only if that **specific user** grants consent; results are always filtered by the requester’s effective permissions. * **Service Account (no DWD):** * Only content from **Shared Drives** (explicitly shared with the Service Account) is ingested. * No user impersonation; private user files are **never** ingested. ### Content Types The Google Drive connector for Moveworks supports file-based content including **Docs**, **Slides**, and **PDFs** along with associated metadata such as titles, MIME types, owners, and permissions. # Access Requirements Moveworks supports two authentication methods for connecting to your Google Drive instance—OAuth 2.0 Authorization Code Grant and Service Account without Domain-Wide Delegation. Both methods securely ingest content from Shared Drives; however, Moveworks recommends OAuth 2.0 because it also enables ingestion of private user content with user consent. Choose the option that best aligns with your organization requirements. ## Pre-requisites Before you get started, make sure you have everything you need: 1. **Admin permissions** 1. Google Cloud Console admin access so you can create a Service Account, set up an OAuth 2.0 app, and enable required APIs (Drive API, Admin SDK). 2. Google Admin Console admin access so you can create a Custom Super Admin (for OAuth) and a custom admin role (for the Service Account). 2. **List of Shared Drives to ingest** 1. Prepare a list of all Shared Drives you want Moveworks to index. This helps you grant access efficiently in one go. Add the Service Account email or Custom Super Admin email to each required Shared Drive with the Content Manager role. ## Setting Up Google Cloud Project and APIs Before configuring authentication, you’ll need to create and prepare a Google Cloud Project. All subsequent setup steps (Service Account or OAuth 2.0) will be performed within this project. 1. **Create a New Google Cloud Project** 1. Visit the [Google Cloud Console](https://console.cloud.google.com). 2. Under your organization, click **New Project**. ![](https://files.readme.io/cc19bfd7bcc1d46a936330ae0d649ef6734f0dc6484169f603a270ca49adcfb3-Screenshot_2025-10-29_at_9.40.58_PM.png) 3. Enter a **project name** (for example, Moveworks), select your organization and click **Create**. ![](https://files.readme.io/fcaf7fb9e72240ab6324058f3274b0cee22151725f6fe1d54c894ddc4268b9b2-Screenshot_2025-10-29_at_9.45.35_PM.png) 4. Now that you’ve created your project, the next step is to enable the Google Drive API for it. For all subsequent operations, please make sure you are performing them within the “Moveworks” project, as shown below. ![](https://files.readme.io/b84b71d384ce7c9e2f8e84b7eb6a15f846008a7f54bee144e624344e615dea71-Screenshot_2025-10-29_at_10.14.21_PM.png) 2. **Enable Required APIs** After creating your project, you must enable APIs required for Moveworks integration. 1. Go to **APIs & Services**→ **Library**. ![](https://files.readme.io/630b5f3223bcf0e411bed5baa56cec0c69d88dcebfea1d89dc16faf224da636a-Screenshot_2025-10-29_at_10.21.49_PM.png) 2. Search for and enable the following APIs: 1. Google Drive API 2. Admin SDK API Once enabled, these APIs allow Moveworks to access shared content, read permissions and handle incremental updates. ![](https://files.readme.io/882fb6d574c5bb21bab846777b6b9d23e4b0ca33ffb27f7db80c05b99d78c7da-Screenshot_2025-10-29_at_10.22.55_PM.png) ![](https://files.readme.io/76c2e8c9ef6422716456c154d8f01b504e78be8fe8ce165bbfe5ad4907bdac1d-Screenshot_2025-10-29_at_10.23.20_PM.png) 3. **Generate Credentials** Depending on your authentication method, you’ll generate either an OAuth 2.0 Client or a Service Account key. **Option 1: OAuth 2.0 Authorization Code Grant** The OAuth 2.0 method allows you to ingest shared content by default and optionally include private user content with explicit consent. 1. **Setup Custom Super Admin** You’ll need to create a dedicated **Custom Super Admin** **user** within your Google Workspace domain. This user will be used to authorize the Moveworks connector and access shared content. Steps: 1. Log in to the [Google Admin Console](https://admin.google.com/ac/users) using your Google Workspace admin credentials. 2. Create the dedicated admin user 1. Go to **Directory** → **Users** → **Add new user**. ![](https://files.readme.io/947869de51759efdc4317c10fca92ffc0c1f00262fdd8ba36f2434d61776f9dd-Screenshot_2025-10-29_at_3.48.25_PM.png) 2. Enter the user’s **first name**, **last name**, and **primary email**. 3. (Recommended) Add a recovery/secondary email for account recovery. 4. Choose a password option: **auto-generate a strong password** or **create a password**; store it securely. 5. Click **Add new user**. ![](https://files.readme.io/ace67a63a9493570867ea576f5cbd38b7c91ca14323f032f7df0aa5cb2e25643-Screenshot_2025-10-29_at_4.01.06_PM.png) 6. Keep the new user’s **sign-in email** handy; you’ll assign the Super Admin role in the next step. 3. Assign Super Admin role 1. Go to **Account** → **Admin roles**. ![](https://files.readme.io/84cd8e088421fd2d52a99f6d5393723e5e09c9f5923530b68877bb754c56f498-Screenshot_2025-10-29_at_4.11.32_PM.png) 2. Select **Super Admin**, then open the **Admins** section. 3. Click **Assign users**, enter the user’s sign-in email and click **Assign role**. ![](https://files.readme.io/9ef477e6daa749f197425e0e54b2881aee4a992f7ea634214f370f8ac5b98687-Screenshot_2025-10-29_at_4.16.16_PM.png) 2. **Grant Access to Shared Drives** Grant the Custom Super Admin access to every Shared Drive you want Moveworks to index. 1. In Google Drive, for each required Shared Drive, click Manage members, add the Custom Super Admin’s email and assign **Content Manager** access. 3. **Configure OAuth 2.0 Application** 1. **Configure OAuth Consent Screen:** 1. Visit the [Google Cloud Console](https://console.cloud.google.com) 2. Go to **APIs & Services** → **OAuth Consent Screen** 3. In the **Overview** section, click **Get started**. 4. Under App information, enter: 1. **App name** (e.g Moveworks) 2. **User support email** (e.g Google super admin email) 5. **Audience**: select **Internal** (only users in your Google Workspace domain) 6. Enter your **Google super admin email** under Contact Information. 7. Check the **Google API Services User Data** Policy acknowledgment. 8. Click **Continue**, then **Create**. ![](https://files.readme.io/72ec447ce3402be773392eca514e5862a9158e0b3f9b9fdc1b52e09a3573788e-Screenshot_2025-10-30_at_9.16.33_AM.png) 9. Go to **OAuth Consent Screen** → **Branding** 10. Click **+Add Domain**, then add **moveworks.com** as an authorized domain. 11. Add **Developer contact information** (e.g. Google admin email) 12. Click **Save** ![](https://files.readme.io/539cdb4b3e32f169246fc89c505b9c7ca535ebda83a884ae5a4163b3fab14676-Screenshot_2025-10-30_at_9.33.49_AM.png) 2. **Create OAuth 2.0 Client ID:** 1. Go to **APIs & Services** → **Credentials** → **Create Credentials** → **OAuth Client ID** ![](https://files.readme.io/aa179525f528c6ee88a149f94ff67b6bde87d62539f58915f0f79090dfd16eaf-Screenshot_2025-10-30_at_9.20.08_AM.png) 2. Application Type: Web Application 3. OAuth 2.0 client Name: Moveworks App 4. Add Redirect URI's mentioned below: 1. [https://www.moveworks.com](https://www.moveworks.com) 2. **https://``.moveworks.com/auth/oauthCallback** Replace `` with with your Moveworks organization name. (e.g.[https://acme.moveworks.com/auth/oauthCallback](https://acme.moveworks.com/auth/oauthCallback)) 5. Once complete, a confirmation modal should display your **client ID** and **client secret**. Download the **JSON** file to a secure environment (e.g. your work laptop). ![](https://files.readme.io/7879a189fc0bda585e0e99c64d3170ec5eee7e9645f16a16bb97de6722fd4539-Screenshot_2025-10-30_at_9.24.08_AM.png) 4. **Connect Moveworks to Google Drive (Manual OAuth Setup)** The OAuth 2.0 authorization process for Google Drive is performed manually by your administrator. This process generates a refresh token for your Custom Super Admin account, which must later be entered in the Moveworks Setup Dashboard during connector configuration. Follow the steps below to generate and verify your OAuth credentials. **Step 1: Initiate OAuth 2.0 Authorization Code Flow** You will manually initiate the OAuth flow to authorize your Custom Super Admin user account and retrieve an authorization code. 1. **Construct the Authorization URL** Use the following Google OAuth 2.0 Authorization endpoint and scopes: ``` https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/drive.readonly%20https://www.googleapis.com/auth/admin.directory.user.readonly%20https://www.googleapis.com/auth/admin.directory.group.member.readonly%20https://www.googleapis.com/auth/admin.directory.group.readonly&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.moveworks.com&client_id=YOUR_CLIENT_ID&prompt=consent ``` 2. **Why These Scopes Are Required** When initiating the OAuth 2.0 Authorization Code Flow, Moveworks requests the following scopes to ensure comprehensive ingestion of Google Drive content and accurate permissions mapping.
Scope Purpose
[https://www.googleapis.com/auth/drive.readonly](https://www.googleapis.com/auth/drive.readonly) Grants Moveworks read-only access to files, folders, and shared drives. This enables ingestion of metadata and file content without the ability to modify or delete any data.
[https://www.googleapis.com/auth/admin.directory.user.readonly](https://www.googleapis.com/auth/admin.directory.user.readonly) Allows Moveworks to read user information (e.g., names, emails, org units) to associate Drive permissions with actual users in your workspace.
[https://www.googleapis.com/auth/admin.directory.group.readonly](https://www.googleapis.com/auth/admin.directory.group.readonly) Enables Moveworks to read Google Groups used in Drive ACLs (e.g., “[Engineering@company.com](mailto:Engineering@company.com) ”), ensuring proper permissions enforcement during search.
[https://www.googleapis.com/auth/admin.directory.group.member.readonly](https://www.googleapis.com/auth/admin.directory.group.member.readonly) Provides visibility into group memberships so Moveworks can determine which users have access through nested group permissions.
3. **Authorize and Retrieve the Authorization Code** 1. Open the constructed URL in a new browser tab. 2. Sign in using your Custom Super Admin credentials. 3. Grant the requested permissions when prompted. 4. After successful authorization, Google will redirect you to: 1. [https://www.moveworks.com/?code=AUTHORIZATION_CODE](https://www.moveworks.com/?code=AUTHORIZATION_CODE) 2. Copy the authorization **code** value from the URL — you’ll need it in the next step. ![](https://files.readme.io/b795258ddfa71ec732c0aa762ee6f0652c3024fd0f78b1901acd3490eaa8c4c7-Screenshot_2025-11-05_at_3.40.57_PM.png) **Step 2: Exchange Authorization Code for Access & Refresh Tokens** Use the authorization code to obtain the access token and refresh token. You can perform this request using cURL or Postman. POST Request: ```curl curl --location 'https://oauth2.googleapis.com/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=authorization_code' \ --data-urlencode 'code=AUTHORIZATION_CODE' \ --data-urlencode 'redirect_uri=https://www.moveworks.com' \ --data-urlencode 'client_id=YOUR_CLIENT_ID' \ --data-urlencode 'client_secret=YOUR_CLIENT_SECRET' ``` **Parameters Explained:** 1. **grant_type**: Always **authorization_code** 2. **code**: The authorization code obtained from Step 1 3. **redirect_uri**: Must be [https://www.moveworks.com](https://www.moveworks.com) 4. **client_id**: Client ID from your Google Cloud OAuth app 5. **client_secret**: Client Secret from your Google Cloud OAuth app Save the **refresh_token** securely — it will be required when configuring the Moveworks connector. 5. **Testing Your OAuth App Refresh Token Access (Optional)** You can verify that your refresh token and scopes work correctly before proceeding. 1. **Get Access Token Using Refresh Token** Use your saved refresh token to generate a new access token. POST Request: ```curl curl --location 'https://oauth2.googleapis.com/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --user 'YOUR_CLIENT_ID:YOUR_CLIENT_SECRET' \ --data-urlencode 'grant_type=refresh_token' \ --data-urlencode 'refresh_token=YOUR_REFRESH_TOKEN' ``` **Sample Response:** ``` { "access_token": "ya29.a0AfH6SMAHhC_SomeNewAccessToken", "expires_in": 3600, "token_type": "Bearer" } ``` 2. **Validate API Access** Once you have a valid access token, test your setup using the following sample API calls. 1. **List Files** ```curl curl --location 'https://www.googleapis.com/drive/v3/files' \ --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ --get \ --data-urlencode 'pageSize=100' \ --data-urlencode 'fields=nextPageToken,files(id,name,mimeType,owners(emailAddress,displayName))' \ --data-urlencode 'includeItemsFromAllDrives=true' \ --data-urlencode 'supportsAllDrives=true' ``` Once you have successfully hit the /files API and retrieved a file list, copy one of the returned file IDs and use it in the following cURL request to validate file-level permissions. 2. **Get File Permissions** ``` curl --location 'https://www.googleapis.com/drive/v3/files/FILE_ID/permissions' \ --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ --get \ --data-urlencode 'fields=permissions(id,type,role,emailAddress,domain,allowFileDiscovery)' \ --data-urlencode 'supportsAllDrives=true' ``` 3. **List Users** ``` curl --location 'https://admin.googleapis.com/admin/directory/v1/users' \ --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ --get \ --data-urlencode 'customer=my_customer' \ --data-urlencode 'maxResults=100' \ --data-urlencode 'orderBy=email' \ --data-urlencode 'projection=full' ``` 4. **List Groups** ``` curl --location 'https://admin.googleapis.com/admin/directory/v1/groups' \ --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ --get \ --data-urlencode 'customer=my_customer' \ --data-urlencode 'maxResults=100' ``` **Option 2: Service Account without Domain-Wide Delegation** Use this method to ingest Shared Drives and files explicitly shared with a Service Account — no user impersonation or consent required. 1. **Create Service Account ** 1. Visit the [Google Cloud Console](https://console.cloud.google.com) 2. Go to **IAM & Admin** → **Service Accounts**. 3. Click **Create Service Account**. 1. Name it (e.g., moveworks-drive-bot) ![](https://files.readme.io/aabe69d2f868b93dff8dc470a0a5a4f5403e807c61cb85105c6f8d710755c333-Screenshot_2025-10-30_at_10.39.53_AM.png) ![](https://files.readme.io/0335c3847078988a4d8fb2c04195cb74b1bca604fd724cc34d081d2721fbd731-Screenshot_2025-10-30_at_10.43.50_AM.png) 2. Assign the role **Project → Editor** (can be reduced later). ![](https://files.readme.io/a6394a2fd8feabf742ea5d1ef3e0f15452d836fad318b309c891cd1e4a41d7e1-Screenshot_2025-10-30_at_10.46.22_AM.png) 4. Select the newly created service account → **go to Keys** → **Add Key** → **Create new key** → **JSON**. 1. Click **Create** and save the downloaded JSON file securely. ![](https://files.readme.io/0d578166011935e5ee6ab27bd73054745d791af49d0181db1efdd3dc02f0f1fb-Screenshot_2025-10-30_at_10.55.25_AM.png) 2. **Create Custom Admin Role** 1. Log in to the [Google Admin Console](https://admin.google.com/ac/users) using your Google Workspace admin credentials. 2. Go to **Account** → **Admin roles** → **Create new role**. ![](https://files.readme.io/03ad7078ffc39939aff93f11ea83f9bb13cd6be0857651fb76d48ddc66d4c80d-Screenshot_2025-10-30_at_10.59.53_AM.png) 3. Enter the role info: 1. **Name**: Moveworks 2. **Description**: Read users, groups, and organizational units ![](https://files.readme.io/817d1363d52291b57ee594b042ec9fbea68f36207a742e1ffac7266fc4ac1617-Screenshot_2025-10-30_at_11.20.22_AM.png) 4. Under **Admin API Privileges**, grant: 1. Organization Units → Read 2. Users → Read 3. Groups → Read 5. Click **Continue**, then **Create role**. ![](https://files.readme.io/38e74159ee734fc2fa0f28db4894f57eaed8b52f7a713cd21c6b3169e86a059e-Screenshot_2025-10-30_at_11.07.24_AM.png) 6. Assign the service account to the role 1. Open the custom role you created. 2. Click **Assign service accounts**. ![](https://files.readme.io/0bab26c2d63972186956f642e6eeda8670fd0ef74e45ff4a6068783341779589-Screenshot_2025-10-30_at_12.21.46_PM.png) 3. Enter the service account email. 4. Click **Add**, then **Assign role**. ![](https://files.readme.io/ae63384ed19634dd0909fb2a46e440bd35921d3e8b21650c25c5794a3ded2ecc-Screenshot_2025-10-30_at_12.29.10_PM.png) 3. **Customer ID Reference** When using the Service Account without Domain-Wide Delegation, Moveworks also requires your **Google Workspace Customer ID** to look up user and group metadata via the Admin SDK endpoints (/users and /groups). This value ensures that Moveworks can correctly associate Drive permissions with your organization’s directory users and groups during Enterprise Search configuration. **How to Find Your Customer ID** 1. Log in to [https://admin.google.com/](https://admin.google.com/) using your **Super Admin** account. 2. Go to **Account** → **Account Settings** → **Profile**. 3. Under Account Information, locate your **Customer ID** — it usually starts with a capital C followed by a string of letters and numbers (for example, C03ab4xyz). 4. Save this value securely; Moveworks will request it when setting up Enterprise Search for Google Drive. 4. **Grant Shared Drive Access** 1. Log in to Google Drive as a user with access to the required Shared Drives. 2. Click each Shared Drive → Manage Members → Add the Service Account email. 3. Assign **Content Manager** permissions. # Setup in Moveworks ## Connector Creation 1. Log in to your org's MyMoveworks portal 2. Navigate to **Moveworks Setup** > **Connectors** > **Built-in Connectors** 3. Click **Create New** 4. Search and Select **Google Drive (Next Gen)** 5. Click on **Next: Add Creds** 6. Choose your Authentication Type and fill in the fields as described below. ### **Option 1: OAuth 2.0 – Refresh Token Grant (Recommended)** This method enables ingestion of **Shared Drives** and optionally, **private user content** (when end-user consent is granted). Fill out the following fields: 1. **Connector Name** — Name this connector for your reference. Once set, this name cannot be changed. 2. **Client ID** — The Client ID from your Google Cloud OAuth 2.0 app credentials, used for authorization. 3. **Client Secret** — The Client Secret from your Google Cloud OAuth 2.0 app credentials, used to securely exchange tokens. 4. **Refresh Token** — The Refresh Token generated during the OAuth 2.0 flow for your **Custom Super Admin** account. ### **Option 2: Service Account Authentication without Domain-Wide Delegation** This method ingests content only from **Shared Drives** or files explicitly shared with the Service Account. It does **not** impersonate users or ingest private user data. Fill out the following fields: 1. **Connector Name** — Name this connector for your reference. Once set, this name cannot be changed. 2. **Service Account Email** — The email ID of your Service Account (`@.iam.gserviceaccount.com`). 3. **Private Key File Upload** — Upload a `.pem` file that contains only the **private key** (without any line breaks). ### Example Conversion Steps 1. Open the JSON file in a text editor (e.g., VS Code or Notepad++). 2. Copy the string under `"private_key"`. 3. Remove all `\n` line breaks so the key becomes a single continuous line. 4. Save the result in a new file named `gdrive_private_key.pem`. 1. **Example .pem File Content** ``` -----BEGIN PRIVATE KEY----- MIIE*********gboAj4 JIKS*********nmoOsk -----END PRIVATE KEY----- ``` ## Configuring Google Drive for Enterprise Search ### Initialising setup 1. Log in to your org's MyMoveworks portal 2. Navigate to **Moveworks Setup** > **Answers** > **Ingestion** > **Enterprise Search** 3. Click on **Create New** or **Get Started** 4. Select **Google Drive** from the dropdown list and click on **Get Started** 5. You will be redirected to the Google Drive ingestion overview page. In the overview page, you will find few info blocks and few configuration blocks. 1. System Overview: This presents an overview of Google Drive support from Moveworks 2. Ingestion Summary: This provides information on the count of records that has been ingested and serving. The values will appear after the first successful ingestion run. 3. Connector Selection: In this configuration block, you are required to select the required connector to enable Moveworks to connect and fetch data 4. Content Selection: In this configuration block, you are required to define the content that should be ingested within Moveworks ![](https://files.readme.io/2e992517d9f130d9cdf1f0b470b3a26fb63fa77b2a18fbc53cb44f68d4a744e0-Screenshot_2025-11-05_at_8.05.28_PM.png) ### Connector selection and validation 1. Once you click on **Select Connector**, a connector setup screen will appear as follows ![](https://files.readme.io/1e9d80b1271b25f85efc231017eac77fd68352eb088fb6761bb8b7fc82b0b323-Screenshot_2025-11-05_at_8.18.26_PM.png) 2. Select the connector (from the dropdown) that you have created in the Connector Creation step. Please note: Only the Google Drive (Next Gen) connectors will appear in this list. 3. Once the connector is selected, you need to click on **Start Validation** to validate the connector credentials and required scope. **Connector Validation** This is a mandatory step in order to save the configuration and move to the next step. Moveworks validates the selected connector to check: * Auth: Moveworks validates if the connector has right credentials to authenticate * Content: Moveworks validates if connector has right scopes to fetch content * Permissions: Moveworks validates if connector has right scopes to fetch user permissions * Users: Moveworks validates if connector has right scopes to fetch user data * Groups: Moveworks validates if connector has right scopes to fetch user groups data. If you’re using **Service Account authentication**, make sure to enter your **Google Workspace Customer ID** before starting validation. This allows Moveworks to verify user and group access correctly. ![](https://files.readme.io/931d99a6881f076c62704720c28f0a972ccb3278ddba89e56571982bc0cee6e2-Screenshot_2025-11-05_at_8.32.16_PM.png) 4. If the connector is validated successfully, you will see a green info banner as follows ![](https://files.readme.io/5ae6061fd6def3a5606d110b73b9e4595da61fca5aaffa545b987ca04b1305dc-Screenshot_2025-11-05_at_8.44.47_PM.png) 1. If there are any credentials or scope issues, you will receive an error message. Click on **View Details** to identify the issue. Refer to this **step-by-troubleshoot guide** (link to be added) to rectify any validation errors. 5. Once the connector is validated successfully, you will be able to **Save** the configuration. 1. Input the unique configuration name and **Save**. 2. Once the configuration is saved, you can view the unique configuration name at the top of the screen. You can also click the pencil :pen: icon to edit the configuration name. ![](https://files.readme.io/13be6bae9576680997364b0d77fd9c54c39e7bd0f258452c5f0d1fcd34974b67-Screenshot_2025-11-05_at_8.46.32_PM.png) 3. Additionally, you will start seeing an entry of your configuration in the Enterprise Search home page. You can click on your configuration to go to edit/ complete the configuration. ![](https://files.readme.io/061053c8e7cee7607e57ff51c859e8db068fddab4db8989d05e09fb513c4b240-Screenshot_2025-11-05_at_8.47.32_PM.png) ### Content Selection Once the connector selection step is complete and the configuration is saved, you will now be required to define the scope of content that will be ingested in Moveworks. 1. Once you click on **Select Content**, a content selection screen will appear as follows ![](https://files.readme.io/0de86a9d2be7c8f4df2df5b1511a0c2f503689a93c622766f57164d9485bf2e7-Screenshot_2025-11-05_at_9.00.58_PM.png) 2. In this screen, you are required to define the Shared Drives from which Moveworks will ingest content and apply filters (optionally) to filter down the content further. 3. **Shared Drive Selection:** This is a mandatory configuration. This configuration defines which shared drives Moveworks will crawl and ingest content from. As an admin, you get three option 1. **Only selected shared drives** (Recommended): Moveworks will ingest content only from the specified shared drives. **When to choose this option?** Choose this option if you want content to be served only from a subset of Shared Drives that are accessible to the Service Account or Custom Super Admin. For example — let’s assume your Service Account or Custom Super Admin has access to 15 Shared Drives, but you only want Moveworks to index 5 of them. In that case, choose this method. **Important Note**: The Service Account (or Super Admin account used for OAuth) must have **Content Manager** access to each specified Shared Drive in order for Moveworks to crawl it successfully. **How to configure?** Enter comma-separated Shared Drive IDs or names in the configuration field. 2. **All except selected** Moveworks will ingest content from all shared drives except the ones specified. **When to choose this option?** Choose this option if you want Moveworks to index almost all Shared Drives except a few shared drives. For example — let’s assume your Service Account or Custom Super Admin has access to 60 Shared Drives, but you want Moveworks to index only 58 of them. Choose this method and specify the 2 drives you want to exclude. **Important Note**: The Service Account (or Super Admin account used for OAuth) must have **Content Manager** access to each specified Shared Drive in order for Moveworks to crawl it successfully. **How to configure?** Enter comma-separated Shared Drive IDs or names in the configuration field. 3. **All Shared Drives**: Moveworks will ingest content from all applicable shared drives. **When to choose this option?** Choose this option if you want Moveworks to index content from **every Shared Drive** available to your Service Account or Custom Super Admin. For example — if your Service Account or Custom Super Admin has access to 20 Shared Drives and you want content from all 20 to be searchable, this method is the simplest choice. **Important Note**: The Service Account (or Super Admin account used for OAuth) must have **Content Manager** access to each specified Shared Drive in order for Moveworks to crawl it successfully. **How to configure?** Select this option. You are not required to specify Shared Drive IDs in this case. 4. **Additional Filters**: Use these filters to narrow the content ingestion scope further. Only records matching ALL of the the specified criteria will be included. Currently following filters are supported: 1. **Modified date:** Use this filter to include only those content records whose Modified date is after a specified date. 2. **Created date**: Use this filter to include only those content records whose Created date is after a specified date. Note: We support **absolute** dates only. Relative ranges (e.g., “last 7 days,” “older than 1 year”) **are not supported**. ![](https://files.readme.io/bcbd6af0e01577379a4e0e74cc324499017eafecbb5c9b442a3d9a0988efe8e0-Screenshot_2025-11-05_at_9.06.54_PM.png) ### Save and Start Ingestion Once Shared Drives selection is configured, you have two options: 1. **Save**: Clicking this will just save the configuration and not initiate the first ingestion crawl. Use this option, if you would want to complete your configuration in multiple sessions/ sittings. 1. Once you click on Save, you will be redirected to the Google Drive overview screen 2. You will notice a banner that prompts you to Start Ingestion ![](https://files.readme.io/983cf7f402a94314d93cf513b5c7cb6643188c28374a6d667692315a5d63f04c-Screenshot_2025-11-05_at_9.16.37_PM.png) 3. Once you are satisfied with your configuration, you can click on **Start Ingestion** 4. A confirmation popup will come that provides a summary of the configuration ![](https://files.readme.io/f35967058b0bf66964cd7947b0e951810df63671fb0db3082a194f4f33a4bd7e-Screenshot_2025-11-05_at_9.17.31_PM.png) 5. Click on **Confirm** 6. After you click on Confirm, ingestion will start shortly. 7. For the first crawl to complete, this generally takes anywhere from few hours to 48 hours depending upon the size of the data. 2. **Save and Start Ingestion**: Click this option if you have completed and validated your content selection configuration and you are ready to initiate the first ingestion crawl. 1. A confirmation popup will come that provides a summary of the configuration ![](https://files.readme.io/836b72a1f550ccfd85da678042e498d78bdbc4e0e944806b9655d7bb8919d31d-Screenshot_2025-11-05_at_9.17.31_PM.png) 2. Click on **Confirm** 3. After you click on Confirm, ingestion will start shortly. **Important Note for Admins**: * It generally takes anywhere from few hours to 48 hours for the first crawl to complete depending upon the size of the data. * You can review the status of ingestion via Data Ingestion Viewer and view ingested record in the **Ingested File** and **Ingested Knowledge** screens.
# Troubleshooting Guides This section helps you resolve common issues related to credentials or scopes when validating your Google Drive connector in Enterprise Search configuration. **Note:** The troubleshooting steps apply to both Service Account and OAuth 2.0 authentication methods unless explicitly mentioned in the steps. ## Invalid Credentials ### Error Message(s): * "Validation failed: Invalid credentials or missing required scopes." ### Possible Cause(s): * Incorrect or missing authentication credentials * Expired or invalid tokens * Configuration mismatch between authentication methods ### Resolution Steps: Check Connector Configuration: * Navigate to Moveworks Setup > Connectors > [Your Google Drive Connector] * Review the authentication method and required fields: * For Service Account (without Domain-Wide Delegation): * Confirm whether **Service Account Email** is correct * Verify **Private Key** is properly formatted and valid * Ensure the private key matches the service account * For OAuth 2.0: * Check **Client ID** is correct * Verify **Client Secret** is correctly entered * Confirm **Refresh Token** is valid * For any credential issues: Contact your Google Workspace administrator to verify service account setup or OAuth application configuration. ## Missing Required Scopes ### Content **Error Message(s):** * "Validation failed: Invalid credentials or missing required scopes." **Possible Causes(s)** * Service Account or custom super admin account not added to any shared drives * No files present in your Google Drive content system **Resolution Steps** Test your Google Drive connector in API Playground 1. Navigate to Moveworks Setup > Connectors > API Playground 2. Import the Google Drive connector used for Enterprise Search 3. Test the files API endpoint (with query parameters included): 1. Shared Ingestion: `/drive/v3/files?corpora=allDrives&supportsAllDrives=true&includeItemsFromAllDrives=true` 2. Private Ingestion: `/drive/v3/files?q='me'+in+owners` 4. Verify Results: 1. **Expected response:** List of files returned in the API response 2. **If no files returned:** Check that files exist in the shared drives and the service account or custom super admin account have been added to the drives 3. **If API call fails:** Check connector authentication and configuration settings ### Permissions **Error Message(s):** * "Validation failed: Invalid credentials or missing required scopes." **Possible Causes(s)** * Insufficient permissions: Service Account or custom super admin account has viewer access instead of the required content manager access on shared drives * Service Account or custom super admin account not added to any shared drives * No files present in your Google Drive content system **Resolution Steps** 1. Verify Service Account Permissions 1. Navigate to Google Drive > Shared drives ![](https://files.readme.io/9051ddc255dfa996c384b31767788912f151393384fb98feff57af88b1167c59-image.png) 2. Select a shared drive where you granted Service Account access ![](https://files.readme.io/ca2f67c17b6b7efbfbc07be677b56d86f24ada715d0926385c29112d4dbf61b5-image.png) 3. Click Manage members ![](https://files.readme.io/f892ad61ee9e1429957a3b5640dac5f3729804fec2c73bb387a284270e6aea73-image.png) 4. Confirm the Service Account has Content manager access (not just viewer) ![](https://files.readme.io/e812a6b2458c072ef2b5b2fc403005c5fbe8af763df6b59b3dc8e2655bfdd8ba-image.png) 2. Test File Access 1. Go to Moveworks Setup > Connectors > API Playground 2. Import the Google Drive connector used for Enterprise Search 3. Fetch content with files API endpoint (with query parameters): `/drive/v3/files?corpora=allDrives&supportsAllDrives=true&includeItemsFromAllDrives=true` cURL for reference ``` curl --location 'https://www.googleapis.com/drive/v3/files?corpora=allDrives&supportsAllDrives=true&includeItemsFromAllDrives=true' \ --header 'Authorization: Bearer {{auth_token}}' ``` 4. Copy the `id` of any file from the API response 5. Fetch permissions for the file with the permissions API endpoint: `/drive/v3/files/{{id}}/permissions?supportsAllDrives=true` cURL for reference ``` curl --location 'https://www.googleapis.com/drive/v3/files/{{id}}/permissions?supportsAllDrives=true' \ --header 'Authorization: Bearer {{auth_token}}' ``` 3. Verify Results 1. **Expected response:** List of permissions in returned in the API response 2. **If no files returned:** Check that files exist in the shared drives and Service Account has proper access 3. **If API call(s) fail:** Check connector authentication and configuration settings ### Groups **Error Message(s):** * "Validation failed: Invalid credentials or missing required scopes." **Possible Causes(s)** * Insufficient scopes: `groups > read` scope not included in the admin console (only for Service Account auth method) * Service Account not assigned proper admin roles (only for Service Account auth method) * Super admin role not assigned to the customer user account created (only for Oauth 2.0 auth method) * No groups present in the Google Drive content system * No group members present in groups **Resolution Steps** 1. Check Admin Role Assignment: 1. Go to **Google Admin Console > Account > Admin roles** 2. Verify the Service Account has been assigned **`groups > read`** in the custom admin role (created following the Moveworks access requirements guide) 2. Test Groups API Access: 1. Go to **Moveworks Setup > Connectors > API Playground** 2. Import the Google Groups connector used for Enterprise Search 3. Test the groups API endpoint: `/groups?customer={{customer_id}}` and copy the group email ID of the first group cURL (for Service Account without Domain Wide Delegation) ``` curl --location 'https://admin.googleapis.com/admin/directory/v1/groups?customer={{customer_id}}' \ --header 'Authorization: Bearer {{auth_token}}' ``` cURL (for Oauth 2.0 with refresh token grant) ``` curl --location 'https://admin.googleapis.com/admin/directory/v1/groups?customer=my_customer' \ --header 'Authorization: Bearer {{auth_token}}' ``` 4. Test the group members: cURL for reference ``` curl --location 'https://admin.googleapis.com/admin/directory/v1/groups/{{email}}/members' \ --header 'Authorization: Bearer {{auth_token}}' ``` 3. Verify Results * **Expected response:** List of groups returned in the API response * **If 403 Forbidden:** Check admin role assignments * **If 200 OK but no groups:** Verify groups exist in your Google Workspace * **If 200 OK but no group members:** Please add google members in your Google Workspace * **If API call(s) fail:** Check connector authentication and configuration settings ### Users **Error Message(s):** * "Validation failed: Invalid credentials or missing required scopes." **Possible Causes(s)** * Insufficient scopes: `users > read` scope not included in the admin console (only for Service Account auth method) * Service Account not assigned proper admin roles (only for Service Account auth method) * Super admin role not assigned to the customer user account created (only for Oauth 2.0 auth method) * No users present in the external system **Resolution Steps** 1. Check Admin Role Assignment: * Go to **Google Admin Console > Account > Admin roles** * Verify the Service Account has been assigned **`users > read`** in the custom admin role (created following the Moveworks access requirements guide) * Ensure the Service Account has permissions to read user information 2. Test Users API Access: 1. Go to **Moveworks Setup > Connectors > API Playground** 2. Import the Google Users connector used for Enterprise Search 3. Test the users API endpoint: `/admin/directory/v1/users?customer={{customer_id}}` cURL for reference (for Service Account without Domain Wide Delegation) ``` curl --location 'https://admin.googleapis.com/admin/directory/v1/users?customer={{customer_id}}' \ --header 'Authorization: Bearer {{auth_token}}' ``` cURL for reference (for Oauth 2.0 with refresh token grant) ``` curl --location 'https://admin.googleapis.com/admin/directory/v1/groups?customer=my_customer' \ --header 'Authorization: Bearer {{auth_token}}' ``` 3. Verify Results: * **Expected response:** List of users returned in the API response * **If 403 Forbidden:** Check scopes and admin role assignments * **If 200 OK but no users:** Verify users exist in your Google Workspace * **If API call(s) fail:** Check connector authentication and configuration settings