Documented google integration requires domain wide privileges #2408
Comments
mvilanova
added
documentation
|
We recognize it's more permissive than it should, but we haven't had time to prioritize the changes required to reduce it. More context here. Can you elaborate more on what you think it's missing in the documentation? All you need should be documented here, but let me know if you disagree and we can work together to improve it. |
|
Thanks for the context, that helps! With regard to the documentation, I think it'd be helpful to include additional detail about the permissions required at a per-plugin level, walking through how to set up the minimal access required, and including rationale for cases where domain-wide delegation is a requirement. FWIW I was successful in connecting the drive/docs plugins with a normally privileged service account/key, and "sharing" edit access on the root incident storage folder with the IAM email address associated to the google service account (client_email entry in the json file). Maybe this could be a documented configuration for the drive/docs setup (and maybe it'd work for other plugins too, have not yet tested that) |
|
Yeah, I agree your suggestion would be a good documentation improvement. Feel free to submit a PR for documentation or other improvements! |
|
This issue is stale, because it has been open for 30 days with no activity. Remove the stale label or comment, or this will be closed in 5 days. |
|
This issue was closed, because it has been stalled for 5 days with no activity. |
Describe the bug
The documented google integration seems too permissive, in that it guides creation of an API key with domain-wide full access.
Expected behavior
Documentation clearly outlines minimal permissions required to function, and instructs user through granting only the minimal access required for dispatch (ideally per-plugin)
Additional context
I'm in the process of integrating dispatch into my organizations google workspace, but am receiving push back as the documented permissions are understood to be root level rw across the entire account, including ability to read others emails. I'd anticipate this to be problematic at other orgs as well.
I'll be trying to find the minimal set of permissions to get the google plugins up and working through trial and error, but a clearly written guide would be very helpful. Any info about required permissions that could be provided here will be helpful as well!
The text was updated successfully, but these errors were encountered: