Google Chat
Discover installed Chat apps, bot tokens/scopes, **spaces** (rooms/DMs), memberships, webhooks and message automations. Govern non-human identities and their effective permissions across Google Workspace — stop risky actions before impact.
What the connector discovers
- Chat Apps, Bots & Scopes
Apps registered in Google Cloud Console/Apps Script; OAuth scopes (chat.bot, chat.messages, chat.spaces) and token metadata (no secrets persisted in plaintext).
- Spaces & Memberships
Spaces (rooms, group DMs, DMs), visibility (private/organizational), owners/managers/members, external participants and history settings.
- Webhooks & Slash Commands
Incoming webhooks, slash commands and Apps Script automations; targets, allowed domains and data egress patterns.
- Drive Links & File Signals
Shared Drive / My Drive links posted in Chat, public link usage, external sharing hints and retention alignment (metadata only).
- Audit & Admin Signals
Workspace audit logs for app installs, config changes, external messages, file link posting and membership churn.
Google Chat pairs tightly with Drive and Gmail. Apps and automations can move sensitive files or messages at scale. ClarioSec adds **runtime governance**: drift-aware scoring, pre-execution controls and audit-grade narratives.
Drift-aware risk scoring
Baselines per app/bot; peer groups by team; detection of scope expansion, broad space reach, dormant tokens, excessive external participants and anomalous file/message flows.
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. Minimize scopes, revoke tokens, and require JIT approvals before sensitive posting or private-space access.
Audit-grade narratives
Each decision yields **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act), including before/after scopes, affected spaces/files and owner context.
Connect Google Chat
ClarioSec connects via **Google Chat API** and **Admin SDK** with an OAuth 2.0 client or a service account (domain-wide delegation).
- Option A — OAuth client (simple)
In Google Cloud Console: create OAuth client for a Workspace admin account; consent to read scopes for Chat/Admin SDK.
- Option B — Service Account (recommended at scale)
Create a service account, enable **domain-wide delegation**, and authorize read-only scopes in Admin Console for discovery.
- Required APIs
Enable: chat.googleapis.com, admin.googleapis.com, drive.googleapis.com (for link metadata).
- Add in ClarioSec
Open the Google Chat connector and paste OAuth creds (or SA JSON + impersonated admin email). Credentials are stored per-tenant.
High-value signals via Chat API, Admin SDK, and (metadata-only) Drive:
- Chat apps/bots & OAuth scopes (no secret values persisted in plaintext)
- Spaces, memberships, managers/owners, external participants, history setting
- Incoming webhooks, slash commands, Apps Script automations (metadata)
- Drive links posted in Chat (visibility/public link flags), retention hints
- Admin & audit signals: app installs, permission/config changes, membership churn
Endpoint family: Google Chat API, Admin SDK Directory/Reports, Drive (file/link metadata only).
- Over-privileged apps & dormant tokens
Bots with broad scopes posting to many spaces; unused apps with retained access.
- File exfiltration & public links
Drive links with public or external visibility posted in sensitive spaces.
- External participants
Guests or external domains in sensitive spaces without guardrails; history on where it should be off.
- Risky automations
Apps Script/webhooks moving data out of tenant or posting into private spaces without approvals.
- Just-in-time approvals for new app installs and scope upgrades
- Automatic scope minimization & token revocation (dormant/risky)
- Owner attestations for bots, webhooks & automations
- Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act
Ready to govern Google Chat apps and bots at runtime?
Move from app posture to provable behavior — identity → scope → action → narrative.