> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/settings/gcp-configurations/domain-wide-delegation.md).

# Domain-Wide Delegation

This guide details how to authorize your Service Account to access Google Workspace data by setting up Domain-Wide Delegation (DwD). This process allows the service account to "impersonate" your Admin Email to read users, groups, and devices.

***

### 🔐 Prerequisites

Before starting, ensure you have:

1. The Client ID: This is the numeric ID of your Service Account (found in the JSON key file or the GCP Console under IAM > Service Accounts).
2. Super Admin Access: You must be a Super Admin in the [Google Admin Console](https://admin.google.com/).

<figure><img src="/files/O9ChYx5bKIY5VsF7HzT3" alt=""><figcaption><p>Manage Domain Wide Delegation</p></figcaption></figure>

***

### Step 1: Navigate to API Controls

1. Log in to the Google Admin Console.
2. In the left-hand menu, navigate to Security > Access and data control > API controls.
3. Scroll down to the Domain-wide delegation section at the bottom.
4. Click MANAGE DOMAIN WIDE DELEGATION.

***

### Step 2: Register the API Client

<figure><img src="/files/14myr2P60fxvU8hNGB8T" alt=""><figcaption><p>DWD Add New Button</p></figcaption></figure>

1. On the Domain-wide Delegation page, click the Add new button next to the "API clients" list.
2. A dialog box will appear. Enter the following information:
   * Client ID: Paste the numeric Client ID for your Service Account.
   * OAuth Scopes: Copy and paste the following comma-separated list into the field:

<figure><img src="/files/glcE6D2cadBZB1Ee6Njc" alt=""><figcaption><p>Add a new Client ID and OAuth Scopes</p></figcaption></figure>

Plaintext

```
https://www.googleapis.com/auth/cloud-identity.devices.readonly, 
https://www.googleapis.com/auth/admin.directory.user.readonly, 
https://www.googleapis.com/auth/admin.directory.customer.readonly, 
https://www.googleapis.com/auth/admin.directory.group.readonly
```

3. Click Authorize.

***

### 📋 Authorized Scopes Reference

Once authorized, your Service Account will be able to perform the following functions:

| **Scope**                           | **Application Service** | **Purpose**                                              |
| ----------------------------------- | ----------------------- | -------------------------------------------------------- |
| `admin.directory.user.readonly`     | GCPUserClientService    | Read-only access to user profiles and metadata.          |
| `admin.directory.group.readonly`    | GCPGroupClientService   | List organization groups and view their memberships.     |
| `cloud-identity.devices.readonly`   | GCPDeviceClientService  | View and inventory managed devices in the organization.  |
| `admin.directory.customer.readonly` | Core Service            | Read organization-level configuration and customer data. |

***

### ✅ Verification

1. Check the list of API Clients to ensure your Client ID appears with the correct scopes.
2. Return to your application's GCP Configuration page.
3. Enter the Admin Email (the person being impersonated) and click Test.
4. If the test passes, the Service Account is successfully authorized to "act as" the admin for these specific read-only tasks.

> Domain-Wide Delegation is extremely powerful. Ensure that only the minimum required scopes (listed above) are granted to keep your environment secure.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/settings/gcp-configurations/domain-wide-delegation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.