Google Workspace GDrive Permissions Reference
The following OAuth scopes are required for SailPoint Entro to perform metadata-based secret scanning within Google Workspace (GDrive).
Required Scopes and Purpose
| Scope | Purpose |
|---|---|
https://www.googleapis.com/auth/drive.readonly |
Read-only access to all Google Drive files |
https://www.googleapis.com/auth/admin.directory.user.readonly |
Retrieve user metadata for file ownership correlation |
https://www.googleapis.com/auth/admin.directory.group.readonly |
Discover group associations |
https://www.googleapis.com/auth/admin.directory.group.member.readonly |
Retrieve group membership lists |
https://www.googleapis.com/auth/admin.directory.customer.readonly |
Read organizational metadata |
Note
Access Model
- All data is accessed in read-only mode.
- File content is never modified or stored.
- Metadata only (name, path, permissions, timestamps) is retrieved.
- Tokens are AES-256 encrypted in SailPoint Entro’s Worker environment.
Note
Security & Compliance
- TLS 1.2+ enforced
- SOC 2 Type II, ISO 27001, GDPR-certified
- Read-only OAuth access, revocable at any time