Overview
This document outlines the integration between Opensense and Google Workspace Directory. The integration is limited to read-only access and is used solely to retrieve user metadata to populate dynamic, personalized email signatures within the Opensense platform.
🔐 Important: Although the Opensense Marketplace app includes a broad set of permissions, only directory-related scopes are authorized and utilized in this deployment.
Integration Components
Component | Description |
|---|---|
App Name | Opensense (formerly SenderGen) |
Source | Google Workspace Marketplace |
Publisher | Opensense Inc. |
Purpose | Retrieve directory metadata for email signature personalization |
Integration Type | OAuth 2.0 via scoped API access (read-only) |
Data Flow | One-way: Google Workspace ➜ Opensense |
Purpose of Access
The integration reads user and group metadata from Google Directory to support:
Signature Personalization: Insert user-specific fields (e.g., full name, title, phone) into templated HTML signatures.
Group-based Logic: Apply signature variations based on group memberships (e.g., different designs for Sales and Support teams).
OU-based Filtering: Use organizational units (OUs) to define user targeting or inclusion rules.
Authorized API Scopes (Read-Only)
Only the following Directory API scopes are granted:
Permission | Purpose |
|---|---|
View groups on your domain | Identify group memberships to assign the correct signature template. |
View organizational units on domain | Allow filtering or targeting based on user's OU placement. |
See user info on your domain | Pull user attributes like name, title, department, etc. |
📌 All granted scopes are strictly read-only and limited to metadata essential for visual signature generation.
Excluded Permissions (Not Utilized)
Although presented during app installation, the following permissions are not authorized, granted, or used:
Manage Gmail settings
Access sensitive mail settings
Control mail routing
Filter or delegate Gmail
Access Gmail message content
These are default scopes in the Opensense app manifest but are explicitly excluded during deployment via scoped OAuth configuration.
Security & Access Controls
Access Control
Integration is authorized and managed by a Google Workspace Super Admin.
Permissions are enforced using granular OAuth scope control via the Admin Console.
App access is restricted to read-only Directory API endpoints.
No Access to Email Content or Controls
Opensense cannot view, alter, or route email messages.
The platform has no access to Gmail accounts, settings, or message data.
Data Handling
Data is accessed through secure, encrypted API calls (TLS).
No data is written back to Google Workspace; Opensense processes only non-sensitive metadata for display purposes.
Revocation and Audit
Admins can revoke access anytime:
Admin Console → Security → Access and Data Control → API ControlsAudit logs and app access reviews are supported natively in Google Admin settings.
IT Security Review Checklist
Confirm Scoped Access
Validate that only the three Directory API scopes listed above are authorized.Review Admin Approval
Ensure the Marketplace app is approved and restricted by a Super Admin.Review Access Control Settings
Confirm that permissions to Gmail or sensitive settings are not enabled.Enable Audit Logging
Consider enabling API access logs for periodic internal compliance reviews.Request OAuth Scope Summary (Optional)
Contact Opensense or your admin for a detailed list of active scopes if needed for internal audit or SOC 2/ISO 27001 reviews.Review Vendor Security Documentation
Reference: Opensense Security Overview
Troubleshooting & Support
App not syncing users? Check that organizational units or groups are accessible to the app.
Unexpected permissions? Reverify scopes in Admin Console under “Apps → App Access Control.”
Need assistance? Reach out to Opensense support for integration guidance or reconfiguration help.