Permissions Aegis Eight requests
Aegis Eight connects to Google Workspace via domain-wide delegation (DWD) — a read-only service account your Super Admin authorizes in the Admin Console. We read security configuration and audit metadata to assess Essential Eight posture, and never access Gmail, Drive, Chat, or Calendar content.
The short version
- Read-only. We cannot create, modify, or delete users, groups, policies, or security settings.
- No access to your content. We cannot read Gmail, Drive, Chat, or Calendar content.
- Your data never trains AI. We never use customer data to train any machine-learning model — ours or anyone else’s.
- Stored in Australia. Customer scan data is stored in Australia by default; dedicated deployments in another region are available on request.
- Verifiable evidence. API-derived findings are stamped with the endpoint, timestamp, and SHA-256 hash of the data we used to score them. Auditors can independently re-query and verify.
- Revoke anytime. Removing domain-wide delegation immediately stops all access.
What we access
- Directory users, roles, and 2-Step Verification enrollment status
- Admin audit and login reports (metadata only)
- ChromeOS device inventory and policy configuration
- Chrome browser policy settings applied to managed devices
- Google Vault retention policies (when Vault is licensed)
What we never access
- Gmail message content
- Google Drive or Shared Drive file content
- Google Chat or Meet message content
- Calendar event details beyond directory metadata
- Passwords or 2SV secrets — we cannot change anything
- Any customer other than the one that granted delegation
How you grant access
Unlike Microsoft Entra’s one-click admin consent, Google Workspace uses domain-wide delegation configured by your Super Admin:
- Copy Aegis Eight’s service account Client ID from the connect wizard.
- In Admin Console, open Security → API controls → Domain-wide delegation and add the Client ID with the OAuth scopes listed below.
- Provide a delegated admin email (Super Admin or dedicated read-only admin) for impersonation during scans.
- Click Verify connection in the Aegis Eight portal.
For the wider operational picture — data flows, retention, tenant isolation, sub-processors — see the Security & Privacy page. When you start a free scan and choose Google Workspace, the in-app connect wizard walks through the same steps.
Why we need these permissions
Each scope maps to a specific ASD Essential Eight control. Aegis Eight requests the minimum read-only set required to score your maturity automatically — instead of relying on a questionnaire. The detailed breakdown below names every scope, what it reads, and which control it supports.
Honest parity note: Some controls have limited Google API signal (e.g. Windows/macOS desktop patching, native Google Docs macro settings). Those are scored as no visibility or not applicable rather than guessed — see Security & Privacy for the full model.
We preserve evidence, not just a score
Most Essential Eight tools are questionnaire engines with a few API checks bolted on. Aegis Eight is different: every Google API response that informs a finding is captured, sha256-hashed, and the hash is stamped into the finding itself.
The result is a cryptographically verifiable evidence chain — an auditor, cyber insurer, or regulator can confirm that the data we scored is exactly what your tenant returned, without taking our word for it. See how it works in the evidence-chain section of the whitepaper.
Core scan scopes
Every scope below is read-only. Required for every Workspace customer.
Chrome Management scopes
Chrome browser and ChromeOS policy and inventory signals for application control, hardening, and patch posture.
Optional scopes
These scopes extend coverage where the corresponding Google product is licensed. If you omit them from DWD, related collectors degrade gracefully to no visibility rather than failing the whole scan.
Google Vault
Retention policy metadata when Vault is licensed — supports Regular backups (partial).
Mobile Management
Enrolled Android and iOS device inventory for endpoint visibility beyond ChromeOS.
Data-handling promises
- No machine-learning training. We never use customer Google Workspace data to train any ML model — ours, a vendor’s, or a third-party’s.
- Australian data residency. Customer scan data is stored in Australia by default; dedicated deployments in another region are available on request.
- 90-day retention. Full scan data is retained for 90 days; only summary plus response hash beyond that. Per-tenant overrides available on request.
- Hash-bound evidence chain. We preserve a verifiable evidence chain: every API response that informs a finding is captured, SHA-256 hashed, and linked to the finding. An assessor can re-query Google Admin APIs (within retention windows) and confirm the data matches exactly what we scored — without taking our word for it. Details in the Security & Privacy whitepaper.
- No cross-tenant correlation. Findings from one customer’s Workspace are never combined with another customer’s data.
- Revocation purges within 30 days. Remove DWD and request full data deletion at any time.
Revoking access
A Super Admin can remove Aegis Eight’s access at any time by deleting our service account Client ID from Admin Console → Security → Access and data control → API controls → Domain-wide delegation. Revocation is immediate: any subsequent API call from Aegis Eight fails authorization and no new tenant data can be collected. Aegis Eight detects the loss of access on the next scan attempt and stops. You can additionally request deletion of any data already collected (purged within 30 days — see the Security & Privacy whitepaper).
Questions about a specific scope? Email [email protected]. Compare with Microsoft 365 permissions or read the full Security & Privacy whitepaper.