I love GAM - the command line interface is so much more flexible than the control panel, and I haven't found another management solution that can replace it. However, GAM's abilities can also come at a price. While most functions GAM performs can be monitored in the Google Apps Audit Log (https://www.google.com/a/cpanel/yourdomainhere/DomainSettings#Reports/subtab=audits&subtabchild=cpanel), I don't see a record of mailboxes I have delegated.As a result, anyone who has access to this tool could view any mailbox in my domain, without any other users knowing the difference. This creates a huge opening for abuse (of this otherwise very useful feature). I want to be able to use GAM without someone being able to accuse me of such abuse.1) Any other ideas about how to audit this command?2) Alternatively, is there a way to have GAM report this action to the Google Apps audit log in a future build?
Randy Schmidt
IT Operations - BCP Specialist
-----------------------------------------------------------
Direct 641-357-2710 ext 2229
TeamQuest Corporation
teamquest.com | LinkedIn | ITSO Blog
------------------------------------------------------------
Specializing in IT Capacity Management
--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Hi Jordan,The CPanel audit log is written by Google on admin changes and is immutable, there's no API that can write to it or modify it. So GAM doesn't really do anything special to get actions like create user, delete user, etc audited. Unfortunately, mailbox delegations are not an item that Google audits. This would be a feature request into Google to add mailbox delegations to the audit log. Note that any tool could perform the mailbox delegation API calls, so the risk you pointed out is there whether you're using GAM or not. Be careful who you give super admin access to.
If you'd like to discuss this more, shoot us an email and we can setup a time to talk about what you're trying to accomplish and how it can be done securely.