Categories
Workspace creation
Onboarding
Users management
Awareness
Policy
Training
Phishing
SaaS Security
Core concepts
Launching scans
Playbooks
Findings
Data protection
Notifications
Admins
Members
Settings
General information
Integrations
Languages
Security Q&A
Internal processes
Product scopes
Sources scans
Troubleshooting errors
Google Workspace: 400: admin_policy_enforced
elba
Articles

Product scopes

🔬 Google

  • Scope Name: https://www.googleapis.com/auth/admin.directory.domain.readonly
  • Used in following modules: Users sync, Data Protection
  • Purpose: This scope is needed for the directory scanner integration that helps ela to synchronize the google workspace users with Elba users automatically. This scope is also used to read the workspace domain information to function properly and recognise permissions and users that might be external vs. internal to the organisation. This scope provides read-only access to domain-level information such as domain name, domain aliases, and domain verification status.
  • Scope Name: https://www.googleapis.com/auth/directory.readonly
  • Used in following modules: Users sync
  • Purpose: This scope is needed for the security scanner integration to see the organization's Google Workspace directory. This integration needs this scope to list the organisation users and sync them with elba. It provides read-only access to view the Google Workspace directory.
  • Scope Name: https://www.googleapis.com/auth/userinfo.profile
  • Used in following modules: Users sync
  • Purpose: This scope is needed for the security scanner integration to see the information for a user to keep it synced with elba (first name, last name, profile picture, email). It provides read-only access to view the user’s profile information.
  • Scope Name: https://www.googleapis.com/auth/admin.directory.group.member.readonly
  • Used in following modules: Data Protection
  • Purpose: This scope is needed for the security scanner integration that generates alerts for Google Drive files and folders that might be shared externally. This module needs to read the group membership information to determine which users have access to the resource. This scope provides read-only access to view group member roles and information.
  • Scope Name: https://www.googleapis.com/auth/admin.directory.user.readonly
  • Used in following modules: All
  • Purpose: This scope is needed for the directory scanner integration to see info about users on the Google Workspace domain. This integration needs this scope to match users on the Google Workspace domain with Elba users. It provides read-only access to view user information on the organisation domain.
  • Scope Name: https://www.googleapis.com/auth/admin.reports.audit.readonly
  • Used in following modules: All
  • Purpose: This scope is needed for the security scanner integration to view audit reports for the Google Workspace domain. This integration needs this scope to monitor and detect any suspicious activity that might compromise the security of the domain. It provides read-only access to view audit reports for the Google Workspace domain.
  • Scope Name: https://www.googleapis.com/auth/admin.reports.usage.readonly
  • Used in following modules: All
  • Purpose: This scope is needed for the security scanner integration to view usage reports for the Google Workspace domain. This integration needs this scope to monitor and detect any abnormal usage patterns that might indicate a security breach. It provides read-only access to view usage reports for the Google Workspace domain.
  • Scope Name: https://www.googleapis.com/auth/drive
  • Used in following modules: Data Protection
  • Purpose: This scope is needed for the security scanner integration to see, edit, create, and delete files in the organisation Google Drive. This integration needs this scope to detect any sensitive data that might be exposed or shared with external users. It allows remediating permissions on files that might be shared too broadly.
  • Scope Name: https://www.googleapis.com/auth/drive.activity.readonly
  • Used in following modules: Data Protection
  • Purpose: This scope is needed for the security scanner integration to view the activity record of files in the organisation Google Drive and find out how to priorise / auto-fix issues depending on their last access time or creation time. This integration needs this scope to detect any unusual or suspicious activity related to files in the organisation’s Google Drive. It provides read only access to view the activity record of files in the organisation’s Google Drive.
  • Scope Name: https://www.googleapis.com/auth/gmail.insert
  • Used in following modules: Phishing
  • Purpose: This scope is needed for the phishing module integration to insert phishing emails into the organisation users’ Gmail inbox. This integration needs this scope to run automated phishing campaigns on the organisation’s users to test their awareness of phishing attacks. It provides the ability to insert phishing emails into the users Gmail inbox.
  • Scope Name: https://www.googleapis.com/auth/admin.directory.group.readonly
  • Used in following modules: All
  • Purpose: This scope is used for accessing read-only information about groups within the Google Workspace domain. It is used to make use of these groups inside elba, for example by targeting specific groups for phishing campaigns.

🔬Sharepoint & OneDrive

  • Scope Name: Site.FullControl.All
  • Used in the following modules : Data Protection
  • Purpose: Required for the integration to retrieve files metadata & sharing permissions.
  • Scope Name: User.Read.All
  • Used in the following modules : Data Protection
  • Purpose: Needed for the integration to sync user profile information with elba.

🔬Slack

General auth flow & fetch account details

  • Scope Name: team:read
  • Purpose: Permits elba to view the name, email domain, and icon for workspaces a user is connected to. This scope is critical for helping the administrator connect the right workspace when installing our application and later provides the correct context to end-users, enhancing user experience and administrative efficiency.
  • Scope Name: users:read
  • Purpose: Allows elba to view people in a workspace. By listing all users, elba can match them with users in our database, enabling the administrator installing the application to accurately understand who shared what type of sensitive information. This is fundamental for managing permissions and ensuring appropriate actions are taken to protect data privacy.

Data Protection

  • Scope Name: channels:history
  • Purpose: Allows elba to view messages and other content in a user's public channels. This is crucial for our Data Protection service to detect whether messages contain sensitive information that could be accessed by a large number of collaborators, ensuring data privacy and security.
  • Scope Name: channels:read
  • Purpose: Enables elba to view basic information about public channels in a workspace. This information aids our Data Protection service in identifying the channels where messages containing sensitive information are located, helping users to retrieve and decide if these messages should be obfuscated or removed to maintain confidentiality.
  • Scope Name: groups:read
  • Purpose: Allows elba to view basic information about a user’s private channels. Access to this information is essential for performing security checks within private channels, ensuring comprehensive coverage in our efforts to protect sensitive information shared in all types of channels.

🔬 Confluence

  • Scope Name: offline_access
  • Used in following modules: sign-in
  • Purpose: refresh the oauth token of the admin.
  • Scope Name: access_email_addresses
  • Used in following modules: Users sync
  • Purpose: access users email address.
  • Scope Name: read:me
  • Used in following modules: sign-in
  • Purpose: Retrieve user that register the app on source connection to check if its role is admin.
  • Scope Name: read:account
  • Used in following modules: Users sync
  • Purpose: Required to read the account (profile) details of a user (different than the admin).
  • Scope Name: read:confluence-content.summary
  • Used in following modules: Data protection
  • Purpose: Required to retrieve a specific content object from Confluence API.
  • Scope Name: read:confluence-content.all
  • Used in following modules: Data protection
  • Purpose: Required to access all contents sub properties like history.
  • Scope Name: read:confluence-space.summary
  • Used in following modules: Data protection
  • Purpose: Required to list the spaces of a Confluence instance.
  • Scope Name: read:space.permission:confluence
  • Used in following modules: Data protection
  • Purpose: Required to list space permissions.
  • Scope Name: write:space.permission:confluence
  • Used in following modules: Data Protection
  • Purpose: Required to update & delete space access permissions to a user or public access.
  • Scope Name: read:confluence-groups
  • Used in following modules: Users sync & Group sync
  • Purpose: Required to list the groups. Note that users can only be listed from groups.
  • Scope Name: read:confluence-user
  • Used in following modules: Users sync & Group sync
  • Purpose: Required to list the members of groups.
  • Scope Name: write:confluence-content
  • Used in following modules: Data protection
  • Purpose: Required to update & delete content restrictions.

🔬 Okta

  • Scope Name: okta.apps.read
  • Used in following modules: User sync
  • Purpose: Read users assigned to elba Okta app. Doing this avoid syncing on elba every users that are not assigned to the elba Okta app.
  • Scope Name: okta.users.read
  • Used in following modules: Users sync
  • Purpose: Read users profiles.
  • Scope Name: okta.roles.read
  • Used in following modules: sign-in
  • Purpose: Used to check on sign-up if the user is an admin.
  • Scope Name: okta.groups.read
  • Used in following modules: Users sync
  • Purpose: Required to sync all the groups existing on the Okta organisation.

🔬 M365

  • Scope Name: User.Read
  • Used in following modules: Initial Sign-In
  • Purpose: This scope is utilized during the initial sign-in process. It is necessary to allow elba to access basic profile information of the signing-in user. This includes user ID, name, and email.
  • Scope Name: Directory.Read.All
  • Used in following modules: Initial Sign-In, Users Sync, Groups Sync
  • Purpose: This scope is used for accessing read-only information about groups within the Microsoft domain. It is used to make use of these groups inside elba, for example by targeting specific user groups with phishing campaigns.
  • Scope Name: User.Read.All
  • Used in following modules: Users Sync (Admin Consent Required)
  • Purpose: This scope, requiring admin consent, is vital for users syncing. It grants elba read access to all user profiles in the organization's Microsoft workspace. This includes profile details. It's pivotal for matching users in the Microsoft workspace with elba users and provisioning elba accounts.
  • Scope Name: Mail.ReadWrite
  • Used in following modules: Phishing
  • Purpose: This scope is essential for the phishing module integration. It grants elba the ability to insert e-mails in user mailboxes. This is used for inserting phishing simulation emails into the organization users' inboxes. It enables elba to conduct controlled phishing awareness campaigns, crucial for training and assessing the organization's readiness against phishing threats.
  • Scope Name: Application.ReadWrite.All
  • Used in following modules: Third Party Apps (Admin Consent Required)
  • Purpose: This scope grants the application read and write access to all resources in the organization on behalf of the signed-in user. It allows the application to read and modify data across the entire organization without a signed-in user being present. Essentially, it gives the application full control over resources within the organization, including user data, group memberships, organizational data, and more.
  • Scope Name: DelegatedPermissionGrant.ReadWrite.All
  • Used in following modules: Third Party Apps (Admin Consent Required)
  • Purpose: This scope grants the signed-in user the ability to read and write delegated permission grants on behalf of other users. It allows the user to manage the permissions granted to other users or applications within the organization. With this scope, the user can view, modify, or revoke permissions granted by them or by other users to applications.

🔬 Dropbox

  • Scope Name: account_info.read
  • Used in following modules: Initial Sign-In, Users Sync, Groups Sync
  • Purpose: Allows elba to view basic information about your Dropbox account such as your username, email, and country. This is essential for personalizing user experience and ensuring account security.
  • Scope Name: team_info.read
  • Used in following modules: Initial Sign-In, Users Sync, Groups Sync
  • Purpose: Enables viewing basic information about your team, including names, user count, and team settings. This helps in managing team accounts and understanding team dynamics within Dropbox.
  • Scope Name: team_data.member
  • Used in following modules: Initial Sign-In, Users Sync, Groups Sync
  • Purpose: Allows elba to list team folders & shared folders containing team members, crucial  for the security checks.
  • Scope Name: members.read
  • Used in following modules: Initial Sign-In, Users Sync, Groups Sync
  • Purpose: Allows elba to view your team membership, important for understanding the team structure and for administrative purposes like managing permissions.
  • Scope Name: groups.read
  • Used in following modules: Initial Sign-In, Users Sync, Groups Sync
  • Purpose: Allows elba to retrieves informations about groups & members of the groups.
  • Scope Name: files.metadata.read
  • Used in following modules: Data protection
  • Purpose: Allows elba to retrieve the metadata of file/folder  to add more information to file or folder.
  • Scope Name: sharing.write
  • Used in following modules: Data protection
  • Purpose: Allows elba to view and manage your Dropbox sharing settings and collaborators. This scope is important for controlling who has access to your files or folder and ensuring secure file sharing.
  • Scope Name: sharing.read
  • Used in following modules: Data protection
  • Purpose: Allows elba to list all shared link of a user & the file/folder metadata, it is essential to  get the information of the file/folder.
  • Scope Name: team_data.governance.write
  • Used in following modules: Data protection
  • Purpose: View and edit governance data of your team's files and folders.
  • Note: the team_data.member scope has a dependency on the team_data.governance.write
  • Scope Name: team_data.governance.read
  • Used in following modules: Data protection
  • Purpose: View governance data of your team's files and folders.
  • Note: the team_data.member scope has a dependency on the team_data.governance.read
  • Scope Name: team_data.content.read
  • Used in following modules: Data protection
  • Purpose: Allows elba to read the informations of the file/folder of the team.
  • Scope Name: files.team_metadata.read
  • Used in following modules: Data protection
  • Purpose: Allows elba to read the metadata informations of the file/folder of the team.
  • Scope Name: sessions.list
  • Used in following modules: Third-party apps
  • Purpose: Allows elba to list all linked applications of the team members for the security check.
  • Scope Name: sessions.modify
  • Used in following modules: Third-party apps
  • Purpose: Allows elba to revoke a linked applications of the team member.

elba is the ultimate experience to secure your team in their daily work
Visit website
A question ? 
Write to: support@elba.security
Categories
Workspace creation
Awareness
SaaS Security
Notifications
Settings
Security Q&A
© 2023 Cyber Transition Inc. All rights reserved.