Nudge Security analyzes data from your Google Workspace account to discover and inventory your entire SaaS footprint, including users and OAuth grants. This requires read-only access to your organization's Google Workspace account.
Here's a list of the current Google Workspace permissions Nudge Security uses and how.
Name | Description | We use this to: |
Scope for only retrieving organizational units. | Discover all organizational units and associate them to users. | |
Read all Gmail resources and their metadata—no write operations. | Analyze mailboxes to discover SaaS activity. | |
Scope for only retrieving users or user aliases. | Discover all available users. | |
Scope for only retrieving group, group alias, and member information. | Discover all available user groups. | |
Scope for access to all application-specific password, OAuth token, and verification code operations. | Discover all Oauth tokens and allow the user to revoke them. | |
Read-only access when retrieving an activity report. | Query the Oauth Tokens' activity. | |
Scope for only retrieving domains. | Discover all valid domains registered to your organization. | |
View and manage the settings of a G Suite group | Retrieve user group settings. |
When you are configuring your workspace, you can paste the following into your service account using a comma separated list as found below:
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.user.security,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/gmail.readonly,
https://www.googleapis.com/auth/admin.reports.audit.readonly,
https://www.googleapis.com/auth/admin.directory.domain.readonly,
https://www.googleapis.com/auth/apps.groups.settings