Integrations and automated evidence are typically managed by workspace admins.
See Evidence & audits for how automated evidence fits
alongside manual evidence.
What it’s used for
Keldyn uses the data it reads from Google to keep the evidence for your access-management controls current. Each nightly refresh updates the evidence and the freshness status shown on the integration’s Controls covered table. The integration contributes evidence to these ISO 27001 controls:| Control | Topic | Coverage |
|---|---|---|
| A.8.3 — Information access restriction | Who can access what | Full |
| A.5.15 — Access control | Role/entitlement assignments | Full |
| A.5.16 — Identity management | Account roster and lifecycle | Full |
| A.8.5 — Secure authentication | Strong-authentication posture and sign-in factors | Full |
| A.8.2 — Privileged access rights | Privileged entitlements and grants | Full |
| A.8.18 — Use of privileged utility programs | Just-in-time privileged access | Full |
| A.5.18 — Access rights | Removing access (suspended/deleted accounts) | Partial |
| A.5.3 — Segregation of duties | Point-in-time role snapshot | Partial |
Full coverage means the data is the artifact the control asks for.
Partial coverage means the data usefully contributes but does not, on its
own, replace everything the control requires (for example, A.5.18 also needs
provisioning/deprovisioning records and access-certification results). Keldyn
labels partial coverage in the auto-generated evidence so it isn’t mistaken for
complete coverage.
Before you begin
Sign in with the right Google account
You connect with your own Google account using OAuth. Keldyn only ever reads
what that signed-in account can already access — connecting does not grant
Keldyn org-wide access.
Use a Google Workspace admin for full coverage
Reading the identity inventory, 2-Step Verification posture, and sign-in
audit logs requires the signed-in user to be a Google Workspace admin. If
you connect with a non-admin account, IAM and privileged-access evidence
still works, but identity and authentication controls will show Access
required.
Set up the integration
Connect
Select Connect and complete the Google sign-in and consent screen. Review
the requested read-only scopes and approve them.
What data Keldyn collects and why
Keldyn requests read-only access and never writes to your Google environment. It collects only the data below, and only to build control evidence.| Data collected | What it contains | Why Keldyn collects it | Refresh |
|---|---|---|---|
| IAM policy role bindings | Which users, groups, and service accounts hold which roles, on which projects/resources | Shows who has access and what they can do — the core evidence for access-restriction and access-control | Daily |
| Identity lifecycle inventory | The account roster with status (active, suspended, deleted) plus create/suspend/delete lifecycle events, including suspendedAt/deletedAt timestamps | Evidences identity management, and shows access being removed for leavers | Daily |
| 2-Step Verification enforcement | Whether strong authentication is enforced and how many identities are enrolled | Evidences the authentication posture required for secure authentication | Daily |
| Sign-in audit logs | Which authentication factor was actually satisfied at log-on | Confirms secure authentication is working in practice, not just configured | Daily |
| Privileged Access Manager entitlements and grants | Privileged entitlements and just-in-time access grants | Evidences privileged access rights and use of privileged utilities | Daily |
Permissions and scopes
Keldyn requests these OAuth scopes. All are read-only.| Scope | Purpose |
|---|---|
openid, email, profile | Identify the signed-in Google user |
cloud-platform | Project discovery, IAM policy reads, and Privileged Access Manager reads |
admin.directory.user.readonly | Workspace identity inventory and 2-Step Verification posture (requires a Workspace admin) |
admin.reports.audit.readonly | Sign-in audit logs and identity lifecycle audit events (requires a Workspace admin) |
Google’s Privileged Access Manager only accepts the full
cloud-platform
scope, not a read-only variant. Keldyn still performs only read operations with
it.Troubleshooting “Access required”
A control shows Access required when your connected account is missing the matching permission, isn’t a Workspace admin, or the relevant API isn’t enabled. For example:resourcemanager.projects.getIamPolicyis needed for IAM role bindings.privilegedaccessmanager.entitlements.listis needed for privileged access.- Workspace-admin rights are needed for identity inventory and 2-Step Verification.
Keeping evidence current
Keldyn refreshes Google evidence automatically each day. Evidence that hasn’t refreshed within its expected cadence is marked stale, and failed pulls are marked failed so you can spot gaps. You can also trigger an immediate refresh at any time with Sync now.Next steps
Evidence & audits
Learn how automated integration evidence works alongside manual evidence and
audits.