How to validate users, groups, and access in the organization's Google Workspace environment:
1. Tab Users
Description: Complete list of all users registered in Google Workspace.
How to validate:
- Check if all users should exist in the environment based on their email address or username.
- Users who have been terminated may only be present in the list if the status column is marked as "Suspended" or "Deactivated", indicating the account was blocked.
- Check the column "Last Login Date" to assess if the account should still remain active. Accounts with no login for a long time may be candidates for deactivation.
- Important: Users who do not belong to a natural person (such as generic, service, or non-nominal users) should not be kept, unless there is documented technical justification (e.g., integration or automation accounts).
- Identify and remove duplicate users or unused accounts.
Main fields to check:
- Full Name
- Username
- Account Status
- Last Login Date
- Organizational Unit
2. Tab Groups
Description: List of all email groups configured in Google Workspace.
How to validate:
- Check if all groups should exist in the environment based on their name or email address.
- Confirm that each group has a clear purpose and is being used.
- Validate if the users listed should receive messages and have access to the group's message history.
- Important Note: The groups "abuse", "postmaster", and "security" are reserved for use by the technology infrastructure and should not be modified or removed.
- Identify duplicate or obsolete groups that can be removed.
- Check the privacy settings of each group (who can send messages, visibility of history, etc.).
Main fields to check:
- Group Name
- Group Email
- Description
- Creation Date
- Group Type
3. Tab Shared Drives
Description: List of all Shared Drives configured in Google Workspace.
How to validate:
- Check if all Shared Drives should exist in the environment based on their name.
- Confirm that each shared drive has a clear purpose and is actively used.
- Validate access permissions for each shared drive by checking the "SharedDrivesACLs" tab.
Main fields to check:
- Shared Drive Name
- Shared Drive ID
- Creation Date
- Member Count
- Owner
4. Tab SharedDrivesACLs (Shared Drives Permissions)
Description: Detailed list of all access permissions to the Shared Drives. Each user with access to a shared drive is listed on a new line.
How to validate:
- Check if each listed user should have access to the Shared Drive indicated on the same line.
- Validate if each user's permission is appropriate for their role:
- organizer: Admin permission, has full control over the Shared Drive, can change settings and permissions.
- fileOrganizer: Content manager permission, has full control over files but cannot change drive settings.
- writer: Write permission, can create and modify files, but some data destruction functions are restricted.
- reader: Read permission, can only view files, cannot make modifications.
- Remove access from users who no longer need to use the drive.
- Review access of former employees that should be removed.
Main fields to check:
- Shared Drive Name
- User Email
- Permission
- Member Type
5. Tab Delegates (Mailbox Delegations)
Description: List of users who have permission to access or manage other users' mailboxes.
How to validate:
- Check if each delegation is still necessary and authorized.
- Confirm that the user who delegated authority is aware of and approves the access.
- Identify excessive or unnecessary delegations.
- Review delegations of former employees and remove them immediately.
Main fields to check:
- Owner Email
- Delegate Email
- Permission
- Creation Date
6. Tab Domains
Description: List of all domains configured and verified in the Google Workspace tenant.
How to validate:
- Check if all listed domains belong to the organization.
- Confirm the verification status of each domain.
- Identify unused or old domains that can be removed.
- Validate MX, DKIM, and SPF settings for active domains.
Main fields to check:
- Domain Name
- Verification Status
- Primary Domain
- Creation Date
7. Tab Calendars
Description: List of calendars and calendar resources configured in Google Workspace.
How to validate:
- Check if all listed calendars should exist in the environment.
- Confirm that unused calendars are removed.
- Validate access permissions for each calendar.
Main fields to check:
- Calendar Email
- Description
- Type
- Creation Date
8. Tab Resources
Description: List of calendar resources (meeting rooms, equipment, vehicles, etc.) available for booking.
How to validate:
- Check if all listed resources physically exist or are still needed.
- Confirm that each resource is configured correctly.
- Validate access permissions for booking each resource.
- Remove resources that have been deactivated or are no longer available.
Main fields to check:
- Resource Name
- Resource Type
- Building/Location
- Capacity
9. Tab YouTube
Description: List of YouTube channels associated with Google Workspace.
How to validate:
- Check if all YouTube channels should be associated with the organization.
- Confirm that only authorized channels are on the list.
- Validate administration permissions for each channel.
Main fields to check:
- Channel Name
- Channel ID
- Channel URL
- Creation Date
10. Tab Analytics (Google Analytics / Analytics Admin)
Description: List of Google Analytics properties and accounts configured for Google Workspace.
How to validate:
- Check if all Analytics properties should be associated with the organization.
- Confirm that access is restricted only to authorized users.
- Identify duplicate or unused properties.
Main fields to check:
- Property Name
- Property ID
- Website URL
- Creation Date
11. Tab Policies (Security Policies)
Description: List of security and compliance policies configured in Google Workspace.
How to validate:
- Check if all policies should be active in the environment.
- Confirm that policies align with the organization's security requirements.
- Review obsolete or no longer applicable policies.
- Validate the scope of each policy (which users/groups are affected).
Main fields to check:
- Policy Name
- Policy Type
- Status
- Creation Date
- Scope / Target
Permission Descriptions for Shared Drives
| Permission Level | Description | Can Do |
|---|---|---|
| organizer | Shared Drive Administrator | Create, edit, delete files and folders; Change settings; Manage members and permissions; View activity reports |
| fileOrganizer | Content Manager | Create, edit, delete files and folders; Manage sharing of individual files; CANNOT change drive settings or manage members |
| writer | Writer | Create and edit files and folders; CANNOT delete; Some data destruction functions are restricted |
| reader | Reader | Only view and open files; CANNOT make modifications |
Important Notes
- Review regularly: This audit process should be performed periodically to ensure that accesses and resources are always up to date.
- Principle of Least Privilege: When validating permissions, always apply the principle of least privilege, ensuring users have only the permissions strictly necessary to perform their functions.
- Restricted Groups: Remember that the groups "abuse", "postmaster", and "security" are reserved and managed by the technology infrastructure. They should not be manually modified.
- Documentation: Keep documentation updated about the purpose of each resource (Shared Drives, groups, calendars, etc.) to facilitate future audits.
- Compliance: Ensure all settings comply with the organization's security and governance policies, as well as regulatory compliance requirements.
- Access Audit: Review access logs (especially for Shared Drives and groups) to identify abnormal or unauthorized access.
After completing the validation of all tabs, reply to this email confirming approval or indicating the necessary adjustments.