Overview
When you connect Incydr to Gmail, you grant certain permissions to Incydr in your Gmail environment. This article lists the permissions Incydr requires as well as what those permissions allow Incydr to do in your Gmail environment.
Gmail permissions
Permissions your Google Workspace administrator needs
Incydr uses API client access to connect to and monitor file activity in your Google environment. In order to grant third-party services or applications domain-wide delegation or manage API client access in the Google Admin console, you must be a Google Workspace administrator that has the Super Admin role. Incydr cannot collect data from your Google environment when the connection is authorized by a Google Workspace administrator without this role.
Permissions the Incydr service account needs
When a user emails an attachment, we collect information about the attached file and the sender and recipients for the email. To see this file activity, Incydr requires access to your Gmail environment.
In the configuration steps when you connect Incydr to Gmail, Incydr provides the client ID and scopes for you to enter in your Google Admin console. Incydr uses the following scopes:
https://www.googleapis.com/auth/admin.directory.domain.readonly https://www.googleapis.com/auth/admin.directory.customer.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/gmail.readonly
This set of permissions means Incydr has read-only access to metadata for emails, attached files, and users within that email service. In other words, Incydr cannot make changes to the emails, data, or users in your email environment.
External resources
Google documentation
Comments
Please sign in to leave a comment.