How IT professionals can control Google Workspace Permissions & Scopes (Gmail, Google Calendar, Google Meet, etc)

Sometimes you don’t want JobScore to access Google Workspace programs, often for security & compliance reasons.  This means you’ll need to restrict access to some Google services for some users.

There are multiple ways to do this,  but before we get into them, here’s a summary of the top concerns we’ve heard from employers about letting JobScore access your data:

Common Concerns

Calendar read and write access:  JobScore shows people’s free/busy information and allows people to schedule interviews. To keep things simple, JobScore respects all of Google’s built-in calendar data-access controls.

  • Example: If user 1 tries to see user 2’s free/busy status to schedule an interview, JobScore only shows the information user 1 can normally see in their Google Calendar
  • So, if you have calendar permissions set up the way you want, everything should be fine as JobScore mirrors what’s already happening in Google Calendar.
  • JobScore does not store any externally created event data in the system, events are only shown to registered users to be able to find available interview timeslots.

Email read access: JobScore uses the gmail.readonly scope to facilitate collaboration and create a “single source of recruiting truth” by synchronizing the emails exchanged between your employees and candidates.  This means everyone involved in the hiring process can easily see the correspondence other people have exchanged with a candidate, making recruiting faster, easier, and less error-prone.  The ability for JobScore to read emails is turned OFF by default.  Individual users must specifically choose to turn it on.

  • Example: If user 1 has email sync turned on, the messages they exchange with candidates will appear in JobScore, so user 2 can see the emails sent back and forth between user 1 and candidates.  Normally user 2 would be unaware of these messages because they would be locked up in user 1’s Gmail.
  • The concerns here are typically twofold:

Access control options

To control access, first you’ll need to decide which app you want to use:

  • The Google Account App, which enables integrations for all users on your domain who use JobScore. 
  • The Google User App, which is individually installed by each user.  The User App is missing some unique features your team may need.

If you install the Account App for everyone: 

  • You can turn off email sending and reading on the Edit Google Account Settings page in JobScore.
    • If you turn things off in this way JobScore will still have access to related scopes, but they will not be used, and the JobScore features they power are turned off.  So, for instance, if you aren’t sure if you need email features, this method allows business users to turn features on and off easily with a click.  Users with the owner and admin access levels can adjust these settings here >>
  • You can turn off specific scopes for all users in the Google console.
    • This allows IT departments to prohibit JobScore from using specific APIs no matter what anyone does.  Choose this option if you need a bulletproof mechanism to ensure JobScore can’t access specific data or perform specific actions. To complete this step you’ll need to first identify which Account App permission to remove. Read the instructions here >>
  • You can control which users can use JobScore platform integrations using Organizational Units.
    • This gives IT teams granular control over which user’s data can be accessed by JobScore.  For instance, you could turn integrations on for people in the HR and Sales departments and leave out the executive team.  The downside of this approach is that if someone needs to use the integrations and they are not in the appropriate group, they’ll need to ask someone in the IT department to make a change. Read the instructions here >>

If you prefer to have your team install the User App one by one:

  • Users with the owner access level can control which scopes are granted on the Control Google User App Scopes page in JobScore:
    • This allows you to block every user granting access to a specific scope if needed.  Start by identifying which User App Permissions you want to remove then update the User App scopes on this page in JobScore.
    • If the user app was installed prior to your restricting scopes in this way, you’ll likely want to remove the app for them and ask them to reinstall the app with restricted scopes.
  • You can turn off specific scopes for the user app in the Google console.
    • This allows IT departments to prohibit JobScore from using specific APIs no matter what anyone does.  Choose this option if you need a bulletproof mechanism to ensure JobScore can’t access specific data or perform specific actions.
    • If you do this, you must also do the first option.

Account App Permissions

The JobScore Google Account App requests the following permissions by default:

 

Scope Description URL to insert
Admin SDK API View calendar resources on your domain https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
Admin SDK API See info about users on your domain https://www.googleapis.com/auth/admin.directory.user.readonly
Calendar API See, edit, share, and permanently delete all the calendars you can access using Google Calendar https://www.googleapis.com/auth/calendar
People API See and download your contacts https://www.googleapis.com/auth/contacts.readonly
Google Drive API See, edit, create, and delete only the specific Google Drive files you use with this app https://www.googleapis.com/auth/drive.file
Gmail API View your email messages and settings https://www.googleapis.com/auth/gmail.readonly
Gmail API Send email on your behalf https://www.googleapis.com/auth/gmail.send
Google OAuth2 API See your primary Google Account email address https://www.googleapis.com/auth/userinfo.email
Google OAuth2 API See your personal info, including any personal info you've made publicly available https://www.googleapis.com/auth/userinfo.profile

 

User App Permissions

The JobScore Google User App requests the following permissions by default.  It is important to note that individual users must choose to grant access to permissions for applications to work for them.

 

Scope Description URL to insert
Admin SDK API View calendar resources on your domain https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
Admin SDK API See info about users on your domain https://www.googleapis.com/auth/admin.directory.user.readonly
Calendar API See, edit, share, and permanently delete all the calendars you can access using Google Calendar https://www.googleapis.com/auth/calendar
People API See and download your contacts https://www.googleapis.com/auth/contacts.readonly
Google Drive API See, edit, create, and delete only the specific Google Drive files you use with this app https://www.googleapis.com/auth/drive.file
Gmail API View your email messages and settings https://www.googleapis.com/auth/gmail.readonly
Gmail API Send email on your behalf https://www.googleapis.com/auth/gmail.send
Google OAuth2 API See your primary Google Account email address https://www.googleapis.com/auth/userinfo.email
Google OAuth2 API See your personal info, including any personal info you've made publicly available https://www.googleapis.com/auth/userinfo.profile
Google OAuth2 API Associate you with your personal info on Google openid

 

How to revoke Google permissions for the Account App

Step 1

If you have already installed the Google Account App, please uninstall it from the JobScore Google Marketplace listing here.  If you are unsure if it’s installed, visit the JobScore marketplace listing to verify that.  Once you’ve verified the account app is not installed on your domain, proceed to step 2.

 

Step 2

Start by logging into the Google Admin Console > Domain-wide Delegation page and click on "Add New."

add new.png

 

Step 3

In the "ClientID" field, paste this value: 130512864914-5444fgei1nk5r4hajn8s5vo50vdbv317.apps.googleusercontent.com

In the "OAuth Scopes (comma-delineated)" field, you need to input the scopes you authorize the JobScore Account App to use, separated by commas.  Start by copying and pasting this list (which contains all the scopes), delete those you wish to revoke/not let JobScore use, then submit the form.

https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/contacts.readonly,https://www.googleapis.com/auth/drive.file,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/gmail.send,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile

add a new client ID.png

How to revoke Google permissions for the User App

If you want to turn off a specific scope in your account please visit this page: Control Google User App Scopes

Here you can flip the switch for the particular scopes that you don’t want JobScore to be able to access.

When user(s) the app, they’ll only be granting access to the scopes you selected.

If you are concerned with folks who have already granted access to specific scopes, you have two choices.

  1. You can click the button to bulk-uninstall the User App for everyone.  When you do this everyone in your account will be prompted to re-install the Google User app (with the correct scopes)
  2. You can log into the google administrative console and turn off access for JobScore to specific scopes.  If you do this, current users won’t have to re-install the app and no one will be able to access the scope through JobScore no matter what happened in the past, or what happens in the future. This can be done in the administrative console on this page: 

Step 1

To begin, you'll need to log in to the Google Admin Console > Manage third-party app access. From there, click on "Add app." Here, click OAuth App Or Client ID.

app access control.png

Search for either "JobScore User" or the Client ID associated with the JobScore User app. Once you find it, click on the "Select" button.

866243254769-m7l8tv2am7j9te1n35itj5m701ac2gif.apps.googleusercontent.com

configure an oauth app.png

Next, proceed to select all the OAuth Client IDs that are listed, and then click on the "Select" button.

select oauth client ids.png

Following that, you have the option to restrict access to the app to a specific organization unit. Simply click on the "Continue" button to proceed.

scope.png

Now, you need to select the "Limited" option and then click on "Continue" to proceed.

limited.png

You will be prompted to review the changes you have made. If everything appears to be in order, simply click on "Finish" to complete the process.

finish setup.png

Step 2

Navigate to Manage Google services and select the desired service. Then, click on "Change access" and modify it to "Restricted". This change will only impact the apps that you previously set as "Limited" in the previous step.

Change access.png

How to allow the JobScore (Account App) to only access a group

Step 1

Start by logging into https://admin.google.com/ and make a GET request to fetch the application. For the Account Application, run this request:

Create as many orgs as you want and add users to them:

  1. Go to https://admin.google.com/
  2. Access Directory > organizational units
  3. Create as many orgs as you want and add users to them

Create as many orgs as you want.png

  1. Go to "Apps list" and select "Google Workspace Marketplace apps." Then, navigate to the "Apps List" and locate the entry for JobScore. Click on JobScore to access its settings and configuration.

App list.png

After that, click on "View organizational units and groups" within the "User Access" section. This will allow you to see and manage the organizational units and groups associated with JobScore.

View organizational units and groups.png

In this section, you have the following options:

  • "ON": This option will enable JobScore for all users in the selected organization unit.
  • "OFF": This option will disable JobScore for all users in the selected organization unit.

By adding a group, you can enable JobScore specifically for that group of users. This will provide you with additional options to manage access and settings for that particular group.

app distribution.png

Comments