When you connect Code42 to Gmail, you grant certain permissions to Code42 in your Gmail environment. This article lists the permissions Code42 requires as well as what those permissions allow Code42 to do in your Gmail environment.
Permissions your Google Workspace administrator needs
Code42 uses API client access to connect to and monitor file activity in your Google environment. In order to grant third-party services or applications domain-wide delegation or manage API client access in the Google Admin console, you must be a Google Workspace administrator that has the Super Admin role. Code42 cannot collect data from your Google environment when the connection is authorized by a Google Workspace administrator without this role.
Permissions the Code42 service account needs
When a user emails an attachment, we collect information about the attached file and the sender and recipients for the email. To see this file activity, Code42 requires access to your Gmail environment.
In the configuration steps when you connect Code42 to Gmail, Code42 provides the client ID and scopes for you to enter in your Google Admin console. Code42 uses the following scopes:
https://www.googleapis.com/auth/admin.directory.customer.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/gmail.readonly
This set of permissions means Code42 has read-only access to metadata for emails, attached files, and users within that email service. In other words, Code42 cannot make changes to the emails, data, or users in your email environment. In addition, Code42 does not monitor the contents of those files, and does not back up files in the email service.