Nudge Security analyzes data from your Google Workspace account to discover and inventory your entire SaaS footprint, including users and OAuth grants. This requires read-only access to your organization's Google Workspace account.
Here's a list of the current Google Workspace permissions Nudge Security uses and how.
We use this to:
Scope for only retrieving organizational units.
Discover all organizational units and associate them to users.
Read all Gmail resources and their metadata—no write operations.
Analyze mailboxes to discover SaaS activity.
Scope for only retrieving users or user aliases.
Discover all available users.
Scope for only retrieving group, group alias, and member information.
Discover all available user groups.
Scope for access to all application-specific password, OAuth token, and verification code operations.
Discover all Oauth tokens.
Read-only access when retrieving an activity report.
Query the Oauth Tokens' activity.
Scope for only retrieving domains.
Discover all valid domains registered to your organization.
View and manage the settings of a G Suite group
Retrieve user group settings.
When you are configuring your workspace, you can paste the following into your service account using a comma separated list as found below: