What’s changing
Service accounts can now have direct access to Groups APIs without needing domain-wide delegation and admin impersonation. This means you can:
- Assign an admin role to a service account using the Admin SDK roles API and Admin console Roles page.
- Use a service account with an admin role to manage groups at a customer level via the Admin SDK Groups API and the Cloud Identity Groups API.
- Use a service account with group owner or manager role (non-admin) to manage groups via the Cloud Identity Groups API.
- See accurate audit logs with service accounts as the actor.
Who’s impacted
Admins and developers
Why it’s important
Using service accounts with Groups can help provide sufficient data access for business apps and enable the automation of various admin tasks.
Previously, you had to use domain-wide delegation and admin impersonation to provide service accounts with sufficient data access. This was a cumbersome process, which could result in overly broad privileges for the service account and audit logs that were hard to interpret.
By enabling direct API access, we’re making it easier to use service accounts to enable critical business apps and processes while making it easier to maintain a strong security and compliance posture.
Getting started
- Admins: This feature will be available by default. You can use new or existing service accounts. Get started with the setup guide for authenticating with the Groups API. Visit our Help Center to learn more about managing Groups for your organization, creating service accounts, using the Cloud Identity Groups API, or checking Audit logs in the Admin console.
- End users: No end user impact.
Rollout pace
- API role assignments: This feature is available now for all users
- Admin console roles page updates: Rapid and Scheduled release domains: Gradual rollout (up to 15 days for feature visibility) starting on August 26, 2020
- Service account API access: This feature is available now for all users
Availability
- Available to all G Suite customers