Skip to content
Inocula docs

Domain-Wide Delegation in Google Admin

Domain-Wide Delegation in Google Admin

Domain-wide delegation is a Google Workspace feature that allows third-party applications to access user data across your entire organization without requiring individual user consent. This powerful capability enables service accounts to make API calls on behalf of any user in your domain.

It also gives GSuite admins the ability to revoke the application’s permission at any time, and so can be preferable to OAuth based authorization.

What is Domain-Wide Delegation?

Domain-wide delegation allows a service account to impersonate and act on behalf of any user within your Google Workspace domain. When properly configured, a service account with domain-wide delegation can:

  • Access user data without user interaction
  • Perform actions as if it were the user
  • Operate across your entire organization

This functionality is particularly useful for:

  • Enterprise applications that need to access user data
  • Administrative tools that manage resources across your organization
  • Reporting and monitoring solutions that need broad access

How Domain-Wide Delegation Works

  1. A service account is created in a Google Cloud project
  2. The service account is granted specific OAuth scopes that define what data it can access
  3. An administrator enables domain-wide delegation for the service account in Google Workspace Admin Console
  4. The application uses the service account to generate access tokens for specific users

Security Considerations

Domain-wide delegation grants significant access to your organization’s data. Consider these security best practices:

  • Limit OAuth scopes: Only grant the minimum permissions necessary
  • Audit regularly: Monitor which service accounts have domain-wide delegation
  • Implement proper controls: Secure the service account’s private key
  • Review access: Periodically verify which applications have domain-wide delegation

When to Use Domain-Wide Delegation

Domain-wide delegation is appropriate when:

  • Your application needs to access data across multiple users
  • User interaction for consent is not feasible
  • You need programmatic access to user data
  • You’re developing administrative or security tools

For applications that only need access to a single user’s data, standard OAuth authorization is typically more appropriate.

Related Information

For instructions on how to set up domain-wide delegation for an application, see our guide on Adding an Application to Domain-Wide Delegation.