Manage apps accessing G Suite data with new app access control

This announcement was made at Google Cloud Next ‘19 UK. Check out Next OnAir to tune into the livestream or watch session recordings following the event.


What’s changing 

We’re improving your ability to control access to G Suite data by third-party and domain-owned apps. The new app access control feature will update the interface and controls in the G Suite Admin console to help you search for, research, and control apps using OAuth2 to access G Suite data.

Specifically, app access control will replace the current API Permissions feature to help you:
  • Find: Identify apps being used and see which have been verified to access restricted OAuth2 scopes. 
  • Assess: Understand which apps are being used and get support information about them. 
  • Control: Manage what data each app can access and which users are empowered to use it. 


Who’s impacted 

Admins only

Why it matters 

G Suite has a robust developer ecosystem, with thousands of apps available via the G Suite Marketplace and directly to customers, and a rich API framework enabling customers to develop custom apps. Not all apps, however, will conform to every enterprise customer’s security policy, so our customers and partners value controls to manage third-party apps accessing G Suite data.

With app access control, you can have better visibility into the third-party apps your users have approved to access their G Suite data, and you can reduce any risk to your company data by limiting access to trusted apps.

How to get started 




Additional details 


Find: Identify apps being used and see which have been verified for access to restricted OAuth2 scopes. 

The new interface will help you see which apps and Google services are being used. Also, we previously announced that we now block new installs for unverified third-party apps that access Gmail data, unless you trust them in the Admin console. You can now use our app details page to verify apps’ trusted status.


App access control - Apps page 


Assess: Research the risk profile for the app and its developer or publisher. 

You’ll be able to see more details about each app and its publisher or developer. This will include the developer’s support email, privacy policy, and Terms of Service (if available). In addition, if the app is verified, we will show you this information here. This information can help you decide whether to trust/allow or block/limit an app.

App details page 


Control: Manage what data each app can access and which users are empowered to use it. 

You’ll also be able to adjust whether you trust or limit apps accessing G Suite data via OAuth2 scopes. 
With these new controls, you now have an easier way to restrict access to APIs (OAuth2 scopes) for Google services such as Gmail, Drive, and the Admin console.

Please note that this does not cover domain-wide delegation and service accounts. This continues to be managed with the Manage API Client Access page on the Security menu.


App access control - changing access levels for an app 


The Advanced Protection Program can add extra protections for high-risk users. 

The Advanced Protection Program for enterprise, that we announced in general availability today, helps you enforce a set of enhanced security policies for the employees in your organization who are most at risk for targeted attacks. Once users self-enroll, the program enforces an app access control policy—it will automatically block applications that require restricted Gmail and Drive access unless explicitly trusted by the admins—as well as other policies. These include the use of security keys, enhanced email scanning for threats, and download protections in Google Chrome. Find out more about the Advanced Protection Program for enterprise here.

Helpful links 




Availability 

Rollout details 


G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default for all G Suite domains.

Stay up to date with G Suite launches