Google Workspace Directory Permissions

Prev Next

Overview

This document outlines the integration between Opensense and Google Workspace Directory. The integration is limited to read-only access and is used solely to retrieve user metadata to populate dynamic, personalized email signatures within the Opensense platform.

🔐 Important: Although the Opensense Marketplace app includes a broad set of permissions, only directory-related scopes are authorized and utilized in this deployment.

Integration Components

Component

Description

App Name

Opensense (formerly SenderGen)

Source

Google Workspace Marketplace

Publisher

Opensense Inc.

Purpose

Retrieve directory metadata for email signature personalization

Integration Type

OAuth 2.0 via scoped API access (read-only)

Data Flow

One-way: Google Workspace ➜ Opensense

Purpose of Access

The integration reads user and group metadata from Google Directory to support:

  • Signature Personalization: Insert user-specific fields (e.g., full name, title, phone) into templated HTML signatures.

  • Group-based Logic: Apply signature variations based on group memberships (e.g., different designs for Sales and Support teams).

  • OU-based Filtering: Use organizational units (OUs) to define user targeting or inclusion rules.

Authorized API Scopes (Read-Only)

Only the following Directory API scopes are granted:

Permission

Purpose

View groups on your domain

Identify group memberships to assign the correct signature template.

View organizational units on domain

Allow filtering or targeting based on user's OU placement.

See user info on your domain

Pull user attributes like name, title, department, etc.

📌 All granted scopes are strictly read-only and limited to metadata essential for visual signature generation.

Excluded Permissions (Not Utilized)

Although presented during app installation, the following permissions are not authorized, granted, or used:

  • Manage Gmail settings

  • Access sensitive mail settings

  • Control mail routing

  • Filter or delegate Gmail

  • Access Gmail message content

These are default scopes in the Opensense app manifest but are explicitly excluded during deployment via scoped OAuth configuration.

Security & Access Controls

Access Control

  • Integration is authorized and managed by a Google Workspace Super Admin.

  • Permissions are enforced using granular OAuth scope control via the Admin Console.

  • App access is restricted to read-only Directory API endpoints.

No Access to Email Content or Controls

  • Opensense cannot view, alter, or route email messages.

  • The platform has no access to Gmail accounts, settings, or message data.

Data Handling

  • Data is accessed through secure, encrypted API calls (TLS).

  • No data is written back to Google Workspace; Opensense processes only non-sensitive metadata for display purposes.

Revocation and Audit

  • Admins can revoke access anytime:
    Admin Console → Security → Access and Data Control → API Controls

  • Audit logs and app access reviews are supported natively in Google Admin settings.

IT Security Review Checklist

  1. Confirm Scoped Access
    Validate that only the three Directory API scopes listed above are authorized.

  2. Review Admin Approval
    Ensure the Marketplace app is approved and restricted by a Super Admin.

  3. Review Access Control Settings
    Confirm that permissions to Gmail or sensitive settings are not enabled.

  4. Enable Audit Logging
    Consider enabling API access logs for periodic internal compliance reviews.

  5. Request OAuth Scope Summary (Optional)
    Contact Opensense or your admin for a detailed list of active scopes if needed for internal audit or SOC 2/ISO 27001 reviews.

  6. Review Vendor Security Documentation
    Reference: Opensense Security Overview

Troubleshooting & Support

  • App not syncing users? Check that organizational units or groups are accessible to the app.

  • Unexpected permissions? Reverify scopes in Admin Console under “Apps → App Access Control.”

  • Need assistance? Reach out to Opensense support for integration guidance or reconfiguration help.