Determine if another superuser is using GAM (Users.messages api) to read other people's emails on our domain
376 views
Skip to first unread message
Richard Wiles
Dec 15, 2019, 6:02:54 PM12/15/19
to GAM for G Suite
Is it possible to check if one of the superusers on my domain is using the Users.messages API via GAM to read the email of other users? I am also a superuser, but as far as I can tell there does not appear to be any way to audit/track this kind of thing. The audit logs accessed via gam report admin do not show anything useful here, and there doesn't appear to be a way to view a log of all api calls made to the domain from the user I suspect. I do have admin access to the google cloud platform project their GAM service account is in but that seems like a dead-end as well. Thanks in advance
Jay Lee
Dec 15, 2019, 7:52:59 PM12/15/19
to google-ap...@googlegroups.com
The other admin would have needed to add their service account client id to the admin console for domain wide delegation. See:
Scan the list there and see if there are IDs you don't recognize. The admin audit log would also show when that client id was added as long as it happened in last 6 months.
Jay
On Sun, Dec 15, 2019, 6:02 PM Richard Wiles <phillip.p...@gmail.com> wrote:
Is it possible to check if one of the superusers on my domain is using the Users.messages API via GAM to read the email of other users? I am also a superuser, but as far as I can tell there does not appear to be any way to audit/track this kind of thing. The audit logs accessed via gam report admin do not show anything useful here, and there doesn't appear to be a way to view a log of all api calls made to the domain from the user I suspect. I do have admin access to the google cloud platform project their GAM service account is in but that seems like a dead-end as well. Thanks in advance
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b16073b3-3947-4b87-9736-9e245514ba19%40googlegroups.com.
Richard
Dec 16, 2019, 8:37:07 PM12/16/19
to GAM for G Suite
Sorry, I wasn't clear in my original post. Their ID is definitely in the domain-wide delegation list since they use GAM legitimately as part of their day-to-day job. Given that, is it possible to track on their usage of specific APIs or am I out of luck?
On Sunday, December 15, 2019 at 4:52:59 PM UTC-8, Jay Lee wrote:
The other admin would have needed to add their service account client id to the admin console for domain wide delegation. See:Scan the list there and see if there are IDs you don't recognize. The admin audit log would also show when that client id was added as long as it happened in last 6 months.Jay
On Sun, Dec 15, 2019, 6:02 PM Richard Wiles <phillip....@gmail.com> wrote:
Is it possible to check if one of the superusers on my domain is using the Users.messages API via GAM to read the email of other users? I am also a superuser, but as far as I can tell there does not appear to be any way to audit/track this kind of thing. The audit logs accessed via gam report admin do not show anything useful here, and there doesn't appear to be a way to view a log of all api calls made to the domain from the user I suspect. I do have admin access to the google cloud platform project their GAM service account is in but that seems like a dead-end as well. Thanks in advance--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
Kevin Melillo ✉
Dec 19, 2019, 2:29:19 PM12/19/19
to google-ap...@googlegroups.com
I just realized this today while troubleshooting an issue for a user. We use GAM to delegate access to account for managers when their direct reports leave as well as setting up the vacation responder and such...
I noticed that when GAM is used to do anything with an account, it is logged in the Admin Panel \ Reports \ Audit Reports \ Tokens
Check here for the user account you are referring to, and it will let you know if GAM was used to access the account, as well as the Client ID associated with GAM, the IP address GAM was run from and the scopes that were used!
This is almost as good as having a report to show Delegates!
On Mon, Dec 16, 2019 at 8:37 PM Richard <phillip.p...@gmail.com> wrote:
Sorry, I wasn't clear in my original post. Their ID is definitely in the domain-wide delegation list since they use GAM legitimately as part of their day-to-day job. Given that, is it possible to track on their usage of specific APIs or am I out of luck?
On Sunday, December 15, 2019 at 4:52:59 PM UTC-8, Jay Lee wrote:
The other admin would have needed to add their service account client id to the admin console for domain wide delegation. See:Scan the list there and see if there are IDs you don't recognize. The admin audit log would also show when that client id was added as long as it happened in last 6 months.Jay
On Sun, Dec 15, 2019, 6:02 PM Richard Wiles <phillip....@gmail.com> wrote:
Is it possible to check if one of the superusers on my domain is using the Users.messages API via GAM to read the email of other users? I am also a superuser, but as far as I can tell there does not appear to be any way to audit/track this kind of thing. The audit logs accessed via gam report admin do not show anything useful here, and there doesn't appear to be a way to view a log of all api calls made to the domain from the user I suspect. I do have admin access to the google cloud platform project their GAM service account is in but that seems like a dead-end as well. Thanks in advance--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b16073b3-3947-4b87-9736-9e245514ba19%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/5f6c6ac1-5721-4554-bf34-de5195c4468b%40googlegroups.com.
|
Ross Scroggs
Dec 19, 2019, 2:52:49 PM12/19/19
to google-ap...@googlegroups.com
Kevin,
Try: gam report tokens start 2019-12-17T00:00:00Z filters "app_name==GAM" > reports.csv
Substitute whatever start value you want, I'm assuming that GAM was used as the App Name when the project was created, substitute as required.
Ross
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAKM%3DboYtQ6AB%3D3JvTc8q735J%3DuEWTU%3Di614O9_ErXi7S763iXA%40mail.gmail.com.
Ross Scroggs
Kevin Melillo ✉
Dec 19, 2019, 3:12:13 PM12/19/19
to google-ap...@googlegroups.com
Thank you Ross, but Richard the original poster needs the info!
Richard, there ya go.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS84PZ93h5Q_7RO3L76wRw7MOFFVqeynTqXNm-M935NLkQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages