Restricting Service Account Access

Google’s marketplace applications can be configured to restrict access to a subset of users and resources. This is configured using based upon Organizational Units.

For more information see Google’s documentation on configuration and for an overview on organization structures within G-Suite.

In this example we can create an Organizational Unit named “Resource” as a child resource of our root domain:

In order to authorize the application to use the Organizational Unit a user must be created within this Organizational Unit.

This user must be configured to be granted the following admin privileges:

  • For the Organizational Unit
    • Admin API > Users > Read
  • For all Organizational Units
    • Admin API > Domain Management

This can be achieved by assigning each privilege via a distinct custom role:

At this stage the Cronofy application should be installed for the domain.

After installing the Cronofy Application at the root domain level we can restrict access - blocking access to all users outside of the Organizational Unit:

And configure overridden access to our Organizational Unit to allow access to the application:

Cronofy will still make user of Domain wide Delegation but be sandboxed within the Organizational Unit. When authorizing the Google Service Account with Cronofy the newly created user must be used when linking.

After this has been completed any user accounts which should be accessed should be placed within the Organizational Unit in order to allow access. By default, all resources will be accessible and so can be linked.