Security
      Back to home
      1. Help Center
      2. Google Workspace
      3. Security

      How to Control API access with domain-wide delegation?

      Domain-wide delegation

      As an administrator, you can use domain-wide delegation of authority to grant third-party and internal applications access to your users' data.

      App developers and administrators can create service accounts with OAuth 2.0. Then, you authorize the service accounts to access your users' data without requiring each user to give consent. Typical apps granted domain-wide delegation:

      • Google Workspace migration and sync tools
      • Internal apps (for example, automation apps) that developers create for your organization. For example, you can delegate access to an application that uses the Calendar API to add events to your users' calendars.
      • Three-legged OAuth apps, which normally require individual user consent. Users activate apps without being prompted for consent, and you can specify the user data that the apps can access.

      To delegate access in the Google Admin console, you add the client ID of the service account or OAuth2 client ID of the app, and then grant access to supported Google APIs (scopes).

      About domain-wide delegation

      Domain-wide delegation is a powerful feature that allows apps to access users' data across your organization's Google Workspace environment. For example, grant domain-wide delegation to a migration app that duplicates user content from another service to Google Workspace. For this reason, only super admins can manage domain-wide delegation, and they must specify each API scope that the app can access.

      Before you begin

      • You need super admin privileges for your Google Workspace account.
      • To add or edit an app, get the following information from the app developer:
        • The client ID of the service account.
        • The list of API scopes requested by the app. Check that the app has an appropriately small scope of access.
      • With domain-wide delegation, the app has access to the data belonging to all of your users. We recommend setting up a regular review of service accounts and deleting any accounts that are no longer in use.

      Set up domain-wide delegation for a client

      • In the Admin console, go to Main menu > Security > Access and data control > API controls > under Domain-wide delegation. 
      • Click Manage Domain Wide Delegation.
      • Click Add new 

      • Enter your service account client ID.
        You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account or in Google Cloud (click IAM & Admin > Service accounts > the name of your service account).
      • Enter the client ID of the service account or the OAuth2 client ID of the app. (Typically, the ID is provided by the developer. If you're the owner of the service account, you can look up the ID.)
      • In OAuth Scopes, add each scope that the application can access (should be appropriately narrow). You can use any of the OAuth 2.0 Scopes for Google APIs. For example, if the application needs domain-wide access to the Google Drive API and the Google Calendar API, enter https://www.googleapis.com/auth/drive and https://www.googleapis.com/auth/calendar.
      • Click Authorize. If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.

      • Point to the new client ID, click View details and make sure that every scope is listed.
        If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.

      View, edit, or delete clients and scopes

      As a best practice, periodically check your app's scopes and remove scopes that aren't required or actively used. Also, delete clients you no longer need. For example, remove access to a migration tool after you complete your migration.

      • In the Admin console, go to Main menu > Security > Access and data controlAPI controls.
      • Under Domain-wide delegation, click Manage domain-wide delegation.
      • Click a client name and then choose an option:
        • View details—View the full client name and list of scopes
        • Edit—Add or remove scopes. You can't edit the client ID. Changes should be active within an hour but might take up to 24 hours.
        • Delete—Applications that depend on the client's authorization will immediately stop working.

       

      Please check the below-supporting article for your further reference:

      Control API access with domain-wide delegation - Google Workspace Admin Help