AWS amazonq medium security documentation change
Summary
Expanded Google Drive connector documentation with role permissions, permission inheritance rules, identity crawling, and failure handling implementation
Security assessment
Details security-relevant features including permission translation, hierarchical access control, and explicit fail-close strategy for API/permission failures. Documents security-critical access role definitions and permission propagation mechanisms.
Diff
diff --git a/amazonq/latest/qbusiness-ug/google-user-management.md b/amazonq/latest/qbusiness-ug/google-user-management.md index e983eaa86..1aa29f45b 100644 --- a//amazonq/latest/qbusiness-ug/google-user-management.md +++ b//amazonq/latest/qbusiness-ug/google-user-management.md @@ -11 +11 @@ Amazon Q Business supports crawling ACLs for document security by default. -When you connect an GoogleDrive data source to Amazon Q Business, Amazon Q Business crawls ACL information attached to a document (user and group information) from your GoogleDrive instance. If you choose to activate ACL crawling, the information can be used to filter chat responses to your end user's document access level. +The GoogleDrive connector for Amazon Q Business crawls 2 primary content types: files and comments. It supports various file formats, including spreadsheets, presentations, images, audio/video files, and Google Docs™. Users can configure the connector to include or exclude comments. @@ -13 +13 @@ When you connect an GoogleDrive data source to Amazon Q Business, Amazon Q Busin -The GoogleDrive group and user IDs are mapped as follows: +**Roles/permissions** : The GoogleDrive connector translates GoogleDrive permissions into ACLs that are compatible with Amazon Q Business. There are four primary roles with permissions: @@ -15 +15,18 @@ The GoogleDrive group and user IDs are mapped as follows: -A Google Workspace Drive data source returns user and group information for Google Drive users and groups. Group and domain membership are mapped to the `_group_ids` index field. The Google Drive username is mapped to the `_user_id` field. + * Owner - Has full control. + + * Editor - Can modify content, update metadata, and add or remove comments. + + * Commenter - Can view content and add comments. + + * Viewer - Has read-only access. + + + + +**Permission Inheritance** : The GoogleDrive connector is designed to detect and handle hierarchical content organization across My Drive and Shared Drives. By default, files and subfolders inherit permissions from parent folders. Comments inherit their permissions from the corresponding file. Permissions can be explicitly modified at either the file or folder level to override inherited settings. In this case, the ACLs are a union of the parent ACLs and child ACLs. + +**Identity Crawling** : Individual user synchronization is supported using email addresses, and domain-wide access is supported using service account authentication. GoogleDrive supports nested groups, meaning that one group can be a member of another. The connector handles complex group structures by flattening group memberships and ensuring that permissions are applied correctly across all levels. + +**Change Management** : ACL changes are supported in both Full Crawl and Incremental/Change Log modes + +**Failure handling** : The connector implements a fail-close approach, meaning that if there are permissions-related issues or API failures, a document is skipped from ingestion rather than being made publicly accessible.