Google Workspace Advanced Permissions
OAuth Scopes
The following tables summarize all OAuth scopes and permissions required for the Google Workspace adapter in Axonius.
Google Cloud APIs to Enable
| API | When to Enable | Required For Scopes |
|---|---|---|
| Admin SDK API | Always | All admin.directory.* and admin.reports.* scopes |
| Cloud Identity API | If using Cloud Identity features | cloud-identity.devices.readonly, cloud-identity.groups |
| Chrome Management API | If enriching browser extensions | chrome.management.reports.readonly |
| Chrome Policy API | If enriching browser policies | chrome.management.policy.readonly |
| Google Calendar API | If fetching calendars | calendar |
| Groups Settings API | If fetching group settings | apps.groups.settings |
| Service Usage API | If fetching usage reports | admin.reports.usage.readonly |
| Enterprise License Manager API | If fetching licenses | apps.licensing |
Permissions for Connection Settings
Additional permissions
| Connection Name | Scope | API |
|---|---|---|
| Get OAuth Apps | admin.directory.user.security | Admin SDK API |
| Fetch Cloud Identity Devices | cloud-identity.devices.readonly | Cloud Identity API |
| Fetch Chrome Browsers | admin.directory.device.chromebrowsers.readonly | Admin SDK API |
| Fetch Calendars | calendar | Google Calendar AP |
Permissions for Advanced Configurations
Configuration Name | Scope | API |
|---|---|---|
Fetch MDM Devices |
| Admin SDK API |
Fetch ChromeOS Devices |
| Admin SDK API |
Fetch user groups |
| Admin SDK API |
Enrich Groups settings |
| Groups Settings API |
Fetch user roles |
| Admin SDK API |
Fetch Disk Usage |
| Admin SDK API + Service Usage API |
Fetch Licenses |
| Enterprise License Manager API |
Fetch User Audit Logs |
| Admin SDK API |
Fetch Extensions |
| Chrome Management API |
Fetch Settings (Policies) |
| Chrome Policy API |
Fetch Cloud Identity Device Users |
| Cloud Identity API |
Fetch Applications (OAuth) |
| Admin SDK API |
Scopes to Copy and Paste
These are the scopes that you can copy and paste.
Minimum Scopes to Copy
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonlyRecommended for Standard Use to Copy
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.customer.readonly,
https://www.googleapis.com/auth/admin.directory.domain.readonly,
https://www.googleapis.com/auth/cloud-identity.devices.readonly,
https://www.googleapis.com/auth/admin.reports.usage.readonly,
https://www.googleapis.com/auth/apps.groups.settingsAll Cyber Asset Scopes with Axonius SaaS Application to Copy
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.customer.readonly,
https://www.googleapis.com/auth/admin.directory.domain.readonly,
https://www.googleapis.com/auth/cloud-identity.devices.readonly,
https://www.googleapis.com/auth/admin.reports.usage.readonly,
https://www.googleapis.com/auth/apps.groups.settings,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
https://www.googleapis.com/auth/admin.directory.user.security,
https://www.googleapis.com/auth/admin.reports.audit.readonly,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/cloud-identity.groups,
https://www.googleapis.com/auth/chrome.management.reports.readonly,
https://www.googleapis.com/auth/chrome.management.policy.readonly,
https://www.googleapis.com/auth/chat.admin.spacesRoles
To create the least privileged role, when the Admin role is not provided.
-
In the Admin Privileges section, select the following permissions:
-
Organization Units
>Read -
Users
>Read -
Security
- User Security Management (select this)
- Control Security Settings
>Read and Write
-
Domain Management
>(select this) -
Reports
>(select this)
-
-
Expand the Services section and select the following permissions:
- Directory settings
>Settings - Looker Studio
>Manage Data Studio Settings - Sites
>Manage Google Sites - Google Vault
>View All Matters - Calendar
>All Settings>Settings - Data Security
>Access Level Management - Data Security
>Rule Management - Classroom
>Settings - Google Chat
>Settings (Read and Modify) - Directory Sync
>Manage Directory Sync Settings>Read Directory Sync Settings - Google Hangouts
>Settings - YouTube
>Manage YouTube Settings - Google Meet
>Manage Meet Settings - Pinpoint
>Admin settings for Pinpoint - Contacts
>Contacts Settings Message>Delegates Read - Currents
>Settings - Gmail
>Settings - Groups for Business
>Settings - Cloud Search
>Settings - Shared device settings
>Parent privilege for Managing all common device configurations>Manage all common device configurations - Mobile Device Management
>Manage Devices and Settings - Drive and Docs
>Settings - Google Workspace Marketplace
>Manage access to allowlisted apps - Alert Center
>Full access>View access - Jamboard
>Manage Jamboard Settings - Chrome Management
>Settings>Manage User Settings - Chrome Management
>Settings>Managed Browsers>Read - Chrome Management
>Settings>Manage Printers - Chrome Management
>Settings>Manage Chrome OS Devices>Manage Chrome OS Devices (read only) - Chrome Management
>Settings>Manage Chrome OS Device Settings - App Maker
>Settings - Google Cloud Print
>Cloud Print Manager
- Directory settings
-
Expand the Services
>Security Center section:-
Ensure that the user has full administrative rights for VirusTotal
>View Report. -
Ensure that the user has full administrative rights for the following Investigation Tool related permissions:
- Gmail
>View Metadata and Attributes - Drive
>View Metadata and Attributes - Device
>View Metadata and Attributes - User
>View Metadata and Attributes - OAuth
>View Metadata and Attributes - Rule
>View Metadata and Attributes - Chrome
>View Metadata and Attributes - Meet
>View Metadata and Attributes - Groups
>View Metadata and Attributes - Voice
>View Metadata and Attributes - Calendar
>View Metadata and Attributes - Admin
>View Metadata and Attributes - Activity Rules
>View
- Gmail
-
In the Admin API Privileges section, select the following permissions:
- Organization Units
>Read - Users
>Read - Groups
>Read - User Security Management
- Schema Management
>Schema Read - License Management
>License Read - Billing Management
>Billing Read - Domain Management
- Domain Allowlist Management
>Domain Allowlist Read.
Enforcement Center Actions (Write Scopes)
| Enforcement Area | Scope | Purpose |
|---|---|---|
| User management | admin.directory.user | Add, remove, suspend users, change OU, reset cookies |
| Group management | admin.directory.group | Add/remove users from groups |
| Role management | admin.directory.rolemanagement | Create/delete role assignments |
| Send Chat messages | chat.messages.create | Send Google Chat messages |
| Browser management | admin.directory.device.chromebrowsers | Move Chrome browsers to OU |
| Device management | cloud-identity.devices | Delete Cloud Identity devices |