Audit Third-party Google Workspace Apps
With the GAT+ you can audit and set policies for additional apps running in your Google Workspace (Google Apps) environment.
These third-party Google Workspace apps are given permission to access user data via API access which users enable once installing those apps.
GAT+ provides two different audit areas to analyze this information.
In User audit, Application Tab.
In the Side Menu of GAT+ select the ‘Users’ audit and then the Applications Tab
You can then search for any user, group or OU to focus on a subset of users.
This will list by email and name showing the number of apps each user has granted API access to.
You can click on the Apps column heading to sort by the number of apps installed for each user.
Clicking on the number in this column takes you directly through to the Applications audit section to view further details.
For more of an in-depth look of 3rd party apps, navigate to the Applications audit section.
The Applications tab within the Application audit section will display the name of the apps installed, the scope they’ve been given, scope risk score(where we give a score based on the risk involved) required by the application.
Low – This is where the applications require just the basic access, the medium is where more access is required.
High – This is where full access is required like access to drive content, email content, and directory contacts.
From this page, you can search for apps under a wide range of criteria. For any given app you can set a number of policy conditions, these are for both enforcement and classification.
Apps can be:
Banned: You can Ban an application for individual users by entering their email addresses or you can use Google Groups or Organisation Units to cover multiple users at once.
A Ban policy will prevent in real-time the cloud-based application from gaining access to the API permission it once had. GAT+ will block the access of the Third-party app to your APIs.
Note: Users can manually enable these permissions again once the app is launched. GAT+ will detect this in real-time and once and disable those permissions once more.
Trusted: GAT+ checks the Ban and if there are Trust apps then they will be used to remove users from the Ban.
For example: If you ban an app for /Sales team, but trust the app for just one user who is part of the /Sales team, the ban rule will skip this account.
A single app can be both partially banned and partially trusted.
All other apps remain unclassified.
To create a policy for an application, click on the ‘+’ button.
The default policy setting is ‘Ban’.
Select which users will be covered by this policy.
When the policy is ready click ‘Save’ to have it enforced.
To Remove policy, click the ‘bin’ at the end of each individually named policy to remove that policy.