Google Workspace — Overview
Status: Scaffold — content in progress
Google Workspace (formerly G Suite) is Google's cloud productivity suite. Its identity foundation is Cloud Identity, which manages users, groups, and authentication for Workspace apps and Google Cloud.
Key Components
| Component | Description |
|---|
| Cloud Identity | Core directory service |
| Admin Console | Web UI for Workspace administration |
| Google Directory API | SCIM-like provisioning |
| Google Workspace Admin SDK | Programmatic admin access |
| OAuth2 Scopes | Granular permission model for API access |
Privileged Roles
| Role | Power |
|---|
| Super Admin | Full control — equivalent to Global Admin |
| Groups Admin | Manage all groups (can add self to sensitive groups) |
| Service Account Token Creator | Create tokens for any service account |
Attack Surface
- Super Admin account without MFA → full tenant compromise
- Service accounts with domain-wide delegation → impersonate any user in domain
- OAuth apps with broad scopes → data access without user interaction
- Admin SDK abuse → enumerate users, add backdoor delegates
Cross-Links