Sometimes you don’t want JobScore to access Google Workspace programs, often for security & compliance reasons. This means you’ll need to restrict access to some Google services for some users.
There are multiple ways to do this, but before we get into them, here’s a summary of the top concerns we’ve heard from employers about letting JobScore access your data:
Common Concerns
Calendar read and write access: JobScore shows people’s free/busy information and allows people to schedule interviews. To keep things simple, JobScore respects all of Google’s built-in calendar data-access controls.
- Example: If user 1 tries to see user 2’s free/busy status to schedule an interview, JobScore only shows the information user 1 can normally see in their Google Calendar.
- So, if you have calendar permissions set up the way you want, everything should be fine as JobScore mirrors what’s already happening in Google Calendar.
- JobScore does not store any externally created event data in the system, events are only shown to registered users to be able to find available interview timeslots.
Email read access: JobScore uses the gmail.readonly scope to facilitate collaboration and create a “single source of recruiting truth” by synchronizing the emails exchanged between your employees and candidates. This means everyone involved in the hiring process can easily see the correspondence other people have exchanged with a candidate, making recruiting faster, easier, and less error-prone. The ability for JobScore to read emails is turned OFF by default. Individual users must specifically choose to turn it on.
- Example: If user 1 has email sync turned on, the messages they exchange with candidates will appear in JobScore, so user 2 can see the emails sent back and forth between user 1 and candidates. Normally user 2 would be unaware of these messages because they would be locked up in user 1’s Gmail.
- The concerns here are typically twofold:
- The only way to make this feature work is to give JobScore rights to read all of a user’s emails. The fact that JobScore only stores emails exchanged with candidates might not matter because your policies dictate that no one outside your firm can access this data. If it makes a difference, to help alleviate security concerns JobScore completed the Google Security Assessment to become a verified app that can access this restricted scope. The assessment utilizes the App Defense Alliance standards and the cloud application security assessment framework (CASA). JobScore is also SOC2 type 2 certified >>
- There is a concern that some candidate email correspondence will be made public that should not. To alleviate this concern, JobScore includes the ability to make emails private.
Access control options
To control access, first you’ll need to decide which app you want to use:
- The Google Account App, which enables integrations for all users on your domain who use JobScore.
- The Google User App, which is individually installed by each user. The User App is missing some unique features your team may need.
If you install the Account App for everyone:
- You can turn off email sending and reading on the Edit Google Account Settings page in JobScore.
- If you turn things off in this way JobScore will still have access to related scopes, but they will not be used, and the JobScore features they power are turned off. So, for instance, if you aren’t sure if you need email features, this method allows business users to turn features on and off easily with a click. Users with the owner and admin access levels can adjust these settings here >>
- You can turn off specific scopes for all users in the Google console.
- This allows IT departments to prohibit JobScore from using specific APIs no matter what anyone does. Choose this option if you need a bulletproof mechanism to ensure JobScore can’t access specific data or perform specific actions. To complete this step you’ll need to first identify which Account App permission to remove. Read the instructions here >>
- You can control which users can use JobScore platform integrations using Organizational Units.
- This gives IT teams granular control over which user’s data can be accessed by JobScore. For instance, you could turn integrations on for people in the HR and Sales departments and leave out the executive team. The downside of this approach is that if someone needs to use the integrations and they are not in the appropriate group, they’ll need to ask someone in the IT department to make a change. Read the instructions here >>
If you prefer to have your team install the User App one by one:
- Users with the owner access level can control which scopes are granted on the Control Google User App Scopes page in JobScore:
- This allows you to block every user granting access to a specific scope if needed. Start by identifying which User App Permissions you want to remove then update the User App scopes on this page in JobScore.
- If the user app was installed prior to your restricting scopes in this way, you’ll likely want to remove the app for them and ask them to reinstall the app with restricted scopes.
- You can turn off specific scopes for the user app in the Google console.
- This allows IT departments to prohibit JobScore from using specific APIs no matter what anyone does. Choose this option if you need a bulletproof mechanism to ensure JobScore can’t access specific data or perform specific actions.
- If you do this, you must also do the first option.
Account App Permissions
The JobScore Google Account App requests the following permissions by default:
Scope | Description | URL to insert |
Admin SDK API | View calendar resources on your domain | https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly |
Admin SDK API | See info about users on your domain | https://www.googleapis.com/auth/admin.directory.user.readonly |
Calendar API | See, edit, share, and permanently delete all the calendars you can access using Google Calendar | https://www.googleapis.com/auth/calendar |
People API | See and download your contacts | https://www.googleapis.com/auth/contacts.readonly |
Google Drive API | See, edit, create, and delete only the specific Google Drive files you use with this app | https://www.googleapis.com/auth/drive.file |
Gmail API | View your email messages and settings | https://www.googleapis.com/auth/gmail.readonly |
Gmail API | Send email on your behalf | https://www.googleapis.com/auth/gmail.send |
Google OAuth2 API | See your primary Google Account email address | https://www.googleapis.com/auth/userinfo.email |
Google OAuth2 API | See your personal info, including any personal info you've made publicly available | https://www.googleapis.com/auth/userinfo.profile |
User App Permissions
The JobScore Google User App requests the following permissions by default. It is important to note that individual users must choose to grant access to permissions for applications to work for them.
Scope | Description | URL to insert |
Admin SDK API | View calendar resources on your domain | https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly |
Admin SDK API | See info about users on your domain | https://www.googleapis.com/auth/admin.directory.user.readonly |
Calendar API | See, edit, share, and permanently delete all the calendars you can access using Google Calendar | https://www.googleapis.com/auth/calendar |
People API | See and download your contacts | https://www.googleapis.com/auth/contacts.readonly |
Google Drive API | See, edit, create, and delete only the specific Google Drive files you use with this app | https://www.googleapis.com/auth/drive.file |
Gmail API | View your email messages and settings | https://www.googleapis.com/auth/gmail.readonly |
Gmail API | Send email on your behalf | https://www.googleapis.com/auth/gmail.send |
Google OAuth2 API | See your primary Google Account email address | https://www.googleapis.com/auth/userinfo.email |
Google OAuth2 API | See your personal info, including any personal info you've made publicly available | https://www.googleapis.com/auth/userinfo.profile |
Google OAuth2 API | Associate you with your personal info on Google | openid |
How to revoke Google permissions for the Account App
Step 1
If you have already installed the Google Account App, please uninstall it from the JobScore Google Marketplace listing here. If you are unsure if it’s installed, visit the JobScore marketplace listing to verify that. Once you’ve verified the account app is not installed on your domain, proceed to step 2.
Step 2
Start by logging into the Google Admin Console > Domain-wide Delegation page and click on "Add New."
Step 3
In the "ClientID" field, paste this value: 130512864914-5444fgei1nk5r4hajn8s5vo50vdbv317.apps.googleusercontent.com
In the "OAuth Scopes (comma-delineated)" field, you need to input the scopes you authorize the JobScore Account App to use, separated by commas. Start by copying and pasting this list (which contains all the scopes), delete those you wish to revoke/not let JobScore use, then submit the form.
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/contacts.readonly,https://www.googleapis.com/auth/drive.file,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/gmail.send,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile
How to revoke Google permissions for the User App
If you want to turn off a specific scope in your account please visit this page: Control Google User App Scopes
Here you can flip the switch for the particular scopes that you don’t want JobScore to be able to access.
When user(s) the app, they’ll only be granting access to the scopes you selected.
If you are concerned with folks who have already granted access to specific scopes, you have two choices.
- You can click the button to bulk-uninstall the User App for everyone. When you do this everyone in your account will be prompted to re-install the Google User app (with the correct scopes)
- You can log into the google administrative console and turn off access for JobScore to specific scopes. If you do this, current users won’t have to re-install the app and no one will be able to access the scope through JobScore no matter what happened in the past, or what happens in the future. This can be done in the administrative console on this page:
Step 1
To begin, you'll need to log in to the Google Admin Console > Manage third-party app access. From there, click on "Add app." Here, click OAuth App Or Client ID.
Search for either "JobScore User" or the Client ID associated with the JobScore User app. Once you find it, click on the "Select" button.
866243254769-m7l8tv2am7j9te1n35itj5m701ac2gif.apps.googleusercontent.com
Next, proceed to select all the OAuth Client IDs that are listed, and then click on the "Select" button.
Following that, you have the option to restrict access to the app to a specific organization unit. Simply click on the "Continue" button to proceed.
Now, you need to select the "Limited" option and then click on "Continue" to proceed.
You will be prompted to review the changes you have made. If everything appears to be in order, simply click on "Finish" to complete the process.
Step 2
Navigate to Manage Google services and select the desired service. Then, click on "Change access" and modify it to "Restricted". This change will only impact the apps that you previously set as "Limited" in the previous step.
How to allow the JobScore (Account App) to only access a group
Step 1
Start by logging into https://admin.google.com/ and make a GET request to fetch the application. For the Account Application, run this request:
Create as many orgs as you want and add users to them:
- Go to https://admin.google.com/
- Access Directory > organizational units
- Create as many orgs as you want and add users to them
- Go to "Apps list" and select "Google Workspace Marketplace apps." Then, navigate to the "Apps List" and locate the entry for JobScore. Click on JobScore to access its settings and configuration.
After that, click on "View organizational units and groups" within the "User Access" section. This will allow you to see and manage the organizational units and groups associated with JobScore.
In this section, you have the following options:
- "ON": This option will enable JobScore for all users in the selected organization unit.
- "OFF": This option will disable JobScore for all users in the selected organization unit.
By adding a group, you can enable JobScore specifically for that group of users. This will provide you with additional options to manage access and settings for that particular group.
Comments