Visibility
Posture
Google Workspace
IAM Engineer
Find every Google Workspace service account and OAuth app with domain-wide delegation before it appears in a breach report
Quick Summary: Domain-wide delegation in Google Workspace grants an app the ability to impersonate any user in your org — a privilege that's easy to grant and nearly impossible to track without the right tooling. Oleria, an AI-native identity security & governance platform, identifies every service account and OAuth app holding domain-wide delegation before it becomes a critical finding.
A single Google service account with domain-wide delegation can impersonate every user in your tenant. Most organizations have dozens of them and no program to review them. That's not a gap in tooling - it's a gap in ownership.
Google Workspace admin separates service accounts (in Cloud Console, scoped per project) from OAuth marketplace apps (in Admin Console, scoped per workspace). Domain-wide delegation lets a service account impersonate any user in the tenant - powerful, dangerous, and often forgotten. End-user-installed Marketplace apps inherit scope from user consent, frequently with broader access than the user understood at install time.
Most enterprises carry hundreds of OAuth apps with sensitive scopes - drive.read, gmail.readonly, calendar - and dozens of service accounts with domain-wide delegation. Domain-wide delegation is the most powerful capability in Google Workspace and the most casually granted. The DWD review program most teams never build is exactly why it becomes the breach vector when it happens. The Admin Console lists the components individually; the cross-reference of "service accounts with DWD" against "OAuth apps with sensitive scope" against "apps unused in 90 days" is what nobody has pre-built.
The Google Workspace Service Account Audit surfaces every service account and OAuth app — including who holds domain-wide delegation — in one governed inventory.
Service accounts, OAuth apps, Marketplace apps, and domain-wide delegation status in one normalized view - not split across Cloud Console and Admin Console
Service accounts with DWD are flagged separately because their blast radius is your entire tenant - every user, every mailbox, every file
OAuth apps installed by users without admin review carry different risk. The split is visible in inventory so you can prioritize appropriately
Drive read-all, Gmail read-only, Calendar full-access - flagged against OWASP and CSA guidance on OAuth scope risk, not left to manual string-matching
Inventory every Google Workspace service account and OAuth app, including all DWD holders, with named owners in hours. Oleria Trustfusion, an AI-native identity security platform, brings your highest-blast-radius Workspace credentials under continuous governance.
Yes. The two surfaces are unified in one inventory.
Multi-OU installation surfaces with the OU scope per app.
Service accounts across all projects with read access surface in inventory. Per-project filtering available.
A service account with DWD can impersonate every user in the Workspace tenant - every mailbox, every Drive, every Calendar. It is the highest-blast-radius credential in Workspace. That's why Oleria flags DWD accounts in their own priority queue rather than mixing them with the general service account list.
Connectors poll on a schedule, typically every few hours. New service accounts and OAuth app installs appear in inventory the same day. DWD grants that appear unexpectedly surface for review within hours of creation.
