Google is improving the ability to control access to Google Workspace data by third-party and domain-owned apps. The new app access control feature will update the interface and controls in the Google Workspace Admin console to help you search for, research, and control apps using OAuth2 to access Google Workspace data.
Specifically, app access control will replace the current API Permissions feature to help you:
- Find: Identify apps being used and see which have been verified to access restricted OAuth2 scopes.
- Assess: Understand which apps are being used and get support information about them.
- Control: Manage what data each app can access and which users are empowered to use it.
Why it matters
Google Workspace has a robust developer ecosystem, with thousands of apps available via the Google Workspace Marketplace and directly to customers, and a rich API framework enabling customers to develop custom apps. Not all apps, however, will conform to every enterprise customer’s security policy, so Google’s customers and partners value controls to manage third-party apps accessing Google Workspace data.
With app access control, you can have better visibility into the third-party apps your users have approved to access their Google Workspace data, and you can reduce any risk to your company data by limiting access to trusted apps.
How to get started
- Admins: Find the new app access control features at Admin Console > Security > App Access Control. This replaces the prior “API Permissions” feature. All admins with Security privileges can access it. Use Google Help Center to learn how to Manage OAuth based access to connected apps.
- End users: No action needed.
Find: Identify apps being used and see which have been verified for access to restricted OAuth2 scopes.
The new interface will help you see which apps and Google services are being used. Also, Google previously announced that it now blocks new installs for unverified third-party apps that access Gmail data, unless you trust them in the Admin console. You can now use Google’s app details page to verify apps’ trusted status.
Assess: Research the risk profile for the app and its developer or publisher.
Control: Manage what data each app can access and which users are empowered to use it.
You’ll also be able to adjust whether you trust or limit apps accessing Google Workspace data via OAuth2 scopes.
With these new controls, you now have an easier way to restrict access to APIs (OAuth2 scopes) for Google services such as Gmail, Drive, and the Admin console.
Please note that this does not cover domain-wide delegation and service accounts. This continues to be managed with the Manage API Client Access page on the Security menu.
The Advanced Protection Program can add extra protections for high-risk users.
The Advanced Protection Program for enterprise, which was announced in general availability, helps you enforce a set of enhanced security policies for the employees in your organization who are most at risk for targeted attacks. Once users self-enroll, the program enforces an app access control policy—it will automatically block applications that require restricted Gmail and Drive access unless explicitly trusted by the admins—as well as other policies. These include the use of security keys, enhanced email scanning for threats, and download protections in Google Chrome. Find out more about the Advanced Protection Program for enterprise here.
- Rapid Release domains: Gradual rollout (1–15 days for feature visibility) starting on November 21, 2019
- Scheduled Release domains: Gradual rollout (1–15 days for feature visibility) starting on November 21, 2019
Google Workspace editions
Available to all Google Workspace editions
On/off by default?
This feature will be ON by default for all Google Workspace domains.