{
	"id": "ddbfcd36-d30f-4b3b-8a3b-5bcfe67fa251",
	"created_at": "2026-04-06T01:31:36.432894Z",
	"updated_at": "2026-04-10T03:21:20.495804Z",
	"deleted_at": null,
	"sha1_hash": "b19726eb7a9f50b170afcb42d2545ec6faf8c84d",
	"title": "Monitor \u0026 restrict data access",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39533,
	"plain_text": "Monitor \u0026 restrict data access\r\nArchived: 2026-04-06 01:28:42 UTC\r\nThis guide explains how Google Workspace administrators can monitor and manage the data access users\r\ngrant to Apps Script through OAuth scopes.\r\nYou can monitor specific OAuth grant events using the Investigation tool in the Google Admin console.\r\nAccess granted to scopes can be revoked, but users can re-grant access afterward.\r\nAdministrators can create alerts to be notified when users grant access to specific OAuth scopes.\r\nHigh-risk OAuth scopes for certain services like Gmail and Google Drive can be restricted to prevent\r\nunauthorized app access.\r\nYou need an Enterprise, Education Standard, or Education Plus Google Workspace account to monitor and restrict\r\nthe data access that users grant to Apps Script.\r\nGoogle Workspace users grant access to levels of data, known as scopes, when they run scripts or use apps like\r\nadd-ons or web apps. This page describes how to monitor or revoke the scopes that users grant access to within\r\ntheir Google Workspace account.\r\nMonitor OAuth grant events by scope\r\nTo view events where users grant access to a specific scope or scopes, follow these steps:\r\n1. In the Google Admin console, go to Menu \u003e Security \u003e Security center \u003e Investigation tool.\r\nGo to Investigation tool\r\n2. Click Data Source and select OAuth log events.\r\n3. Click Add condition \u003e Attribute and select Event.\r\n4. Click Event and select Grant.\r\n5. Click Add condition \u003e Attribute and select Scope.\r\n6. For Scope, enter the scope you want to monitor. For a list of scopes, refer to OAuth 2.0 Scopes for Google\r\nAPIs.\r\n7. Click Search. A list of grant events displays for the scopes you specified.\r\nRevoke OAuth grants\r\nhttps://developers.google.com/apps-script/guides/admin/monitor-restrict-oauth-scopes\r\nPage 1 of 2\n\nImportant: After you revoke access to a scope, users can re-grant access. Set up alerts for scopes that you don't\r\nwant users to grant access to so that you can revoke access as needed. Refer to Create an alert for OAuth grants.\r\nTo revoke access to a scope, follow the steps for Monitor OAuth grant events by scope, then select the events you\r\nwant to revoke and click Revoke access tokens for users.\r\nCreate an alert for OAuth grants\r\nTo receive an alert when someone grants access to a specific scope, follow the steps for Monitor OAuth grant\r\nevents by scope, then follow these steps:\r\n1. At the top of the search, click Create activity rule.\r\n2. For Rule name, enter a name for the alert.\r\n3. Click Next: View Conditions. The conditions automatically populate from the search parameters. Edit\r\nthem if needed, then click Next: Add Actions.\r\n4. In Threshold 1, select a time frame and threshold for the rule and check the Send to alert center box.\r\n5. Click Add email recipients and enter the email addresses that should receive alerts. Click Done.\r\n6. Click Next: Review.\r\n7. Review the details and click Create Rule.\r\nFor more information, refer to Create and manage activity rules.\r\nRestrict access to high-risk OAuth scopes\r\nYou can restrict access to most Google Workspace services. For Gmail and Google Drive, restrict access to high-risk OAuth scopes while allowing users to give access to OAuth scopes that are not classified as high-risk. If an\r\napp requests access to a restricted high-risk OAuth scope, and you have not specifically trusted the app, users\r\ncannot authorize it.\r\nTo restrict access to high-risk OAuth scopes, refer to Restrict or unrestrict Google services.\r\nSource: https://developers.google.com/apps-script/guides/admin/monitor-restrict-oauth-scopes\r\nhttps://developers.google.com/apps-script/guides/admin/monitor-restrict-oauth-scopes\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://developers.google.com/apps-script/guides/admin/monitor-restrict-oauth-scopes"
	],
	"report_names": [
		"monitor-restrict-oauth-scopes"
	],
	"threat_actors": [],
	"ts_created_at": 1775439096,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b19726eb7a9f50b170afcb42d2545ec6faf8c84d.pdf",
		"text": "https://archive.orkl.eu/b19726eb7a9f50b170afcb42d2545ec6faf8c84d.txt",
		"img": "https://archive.orkl.eu/b19726eb7a9f50b170afcb42d2545ec6faf8c84d.jpg"
	}
}