Audit and Policy for G Suite Apps

With the GAT+  you can audit and set policies for additional apps running in your Google Apps environment. These third-party G Suite apps are given permission to access user data via API access which users enable once installing those apps.

GAT+ provides two different audit areas to analyze this information.

In User audit, Application Tab.

In the Side Menu of GAT+ select the ‘Users’ audit and then the Applications Tab

In the Side Menu of GAT+ select the ‘Users’ audit and then the Applications Tab

You can then search for any user, group or OU to focus on a subset of users. This will list by email and name showing the number of apps each user has granted API access to. You can click on the Apps column heading to sort by the number of apps installed for each user. Clicking on the number in this column takes you directly through to the Applications audit section to view further details.

For more of an in-depth look of 3rd party apps navigate to Applications audit section.

For more of an in-depth look of 3rd party apps, navigate to Applications audit section.
The Applications tab within the Application audit section will display the name of the apps installed, the scope they’ve been given, scope risk score(where we give a score based on the risk involved) required by the application.

The Applications tab within the Application audit section will display the name of the apps installed, the scope they’ve been given, scope risk score(where we give a score based on the risk involved) required by the application.

Low –  Is where the applications require just the basic access, the medium is where more access is required.

High – Is where full access is required like access to drive content, email content, and directory contacts.

From this page, you can search for apps under a wide range of criteria. For any given app you can set a number of policy conditions, these are for both enforcement and classification.

Apps can be:

  • Banned
  • Trusted

You can Ban an application for individual users by entering their email addresses or you can use Google Groups or Organisation Units to cover multiple users at once. A Ban policy will prevent the cloud-based application from gaining access to the API permission it once had. GAT+ will block these privileges from being accessed.

Note: Users can manually enable these permissions again once the app is launched. GAT+ will detect this and disable those permissions once more.

A single app can be both partially banned and partially trusted.

All other apps remain unclassified.

To create a policy for an application, click on the ‘+’ button.

To create a policy for an application, click on the ‘+’ button.

The default policy setting is ‘Ban’. Select which users will be covered by this policy. When the policy is ready click ‘Save’ to have it enforced.

To Remove a policy, click the ‘bin’ at the end of each individually named policy to remove that policy.

To Remove a policy, click the ‘bin’ at the end of each individually named policy to remove that policy.