Why This Happens

  • Glean uses a Google service account with Domain‑wide Delegation (DWD) to index Drive content so it’s searchable. With DWD, the service account can impersonate authorized Workspace users to read files they already have access to, allowing the connector to index content across your domain while honoring existing Drive permissions. You can read more about Domain-wide Delegation here.
  • To extract content from Google‑native files, Glean calls the Drive export API (for example, drive.files.export). Google counts these automated reads as Download events, even though no one is manually downloading files.
  • Access is read‑only and always respects Drive ACLs—Glean only indexes content users already have permission to access.

What’s Not Happening

  • These entries do not, by themselves, indicate that a user manually downloaded files; they reflect the automated, read‑only export step used for indexing.

Common reasons you might see many events for one user

  • The user owns a large number of files, and routine incremental or periodic crawls touched many of them in a short period.
  • Frequent edits to owned documents triggered many re‑crawls (each edit sends a webhook that initiates re‑indexing).
  • Bulk changes (for example, renaming a folder with many files, moving a large directory, changing sharing on a parent folder) triggered re‑indexing of all affected files.

Recommendations to reduce confusion

  • If you notice sudden spikes, validate document changes with the user before concluding there’s unusual access.
  • Remember that high‑ownership users, frequent edits, or bulk changes can legitimately generate many indexing events in a short time.

FAQ

Why do events appear under a specific user?
Glean’s service account uses Domain‑wide Delegation and must impersonate a Workspace user; Google logs that user as the actor. Why is the method drive.files.export and the action “Download”?
The Drive API exports Google‑native content so it can be indexed. Google records that export as a Download event. Does this indicate data exfiltration?
Not by itself. These entries typically reflect automated crawling that respects Drive permissions. Why are there thousands of events in a short window?
Common causes include many edits, bulk changes like folder rearrangements, or a user owning many files that were re‑crawled.
If you’d like us to review specific audit log entries, please contact Glean Support with timestamps and example document IDs.