# 41 Periodic access recertification

> v0.1.3 · role: Assure · [policy: #29 · #28, #12](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

A quarterly cycle in which every grant class — admin roles, group memberships, shared-drive membership, OAuth grants, mailbox delegates — is enumerated into one attestation sheet, sent to its named owner, and revoked unless the owner re-affirms it. The default on no reply is revoke. The signed sheet, not the enumeration script, is the audit evidence.

Documentation: [Security checklist for medium and large businesses (100+ users)](https://knowledge.workspace.google.com/admin/security/security-checklist-for-medium-and-large-businesses-100-users)

## Caveats

- Recertification that defaults to KEEP on no-reply is theatre — the default must be revoke, or the cycle only ever adds access.
- A scripted enumeration that silently 404s produces a clean, empty, wrong report — read the console's admin-role list as a cross-check on the script's row count, remembering the console shows direct assignments only and omits roles inherited through group membership.
- Group membership is the grant path people forget — a user with no admin role still inherits shared-drive and app access through a group.
- It depends on the account inventory (№5) being real — you cannot recertify grants for accounts you do not know exist.

## Setup steps

1. Enumerate every grant class into one attestation sheet — admin roles, group memberships, shared-drive membership, OAuth grants, delegates.

   ```
   gam print admins
   gam print group-members
   gam print shareddrives
   gam all users print tokens
   gam all users print delegates
   ```

   docs: [Control which apps access Google Workspace data](https://knowledge.workspace.google.com/admin/apps/control-which-apps-access-google-workspace-data) · [Let users delegate access to a Gmail account](https://knowledge.workspace.google.com/admin/gmail/let-users-delegate-access-to-a-gmail-account)

2. Signed in as a super administrator, read the admin-role assignments in the console as a cross-check against the script's output — a scripted enumeration that silently 404s produces a clean, empty, wrong report. The console's Roles page lists direct assignments only, not roles inherited through group membership, so treat it as a floor on the grant count, not the full surface. — `Account › Admin roles`

   Compare direct-assignment row count to gam print admins; group-inherited role assignments will not appear in the console list

   docs: [View role assignments & privileges](https://knowledge.workspace.google.com/admin/users/view-role-assignments-and-privileges)

3. Send each grant to its named owner for attestation with a default of REVOKE, not a default of KEEP.

   Quarterly cycle; no reply within 10 working days = revoke

4. Execute the revocations and keep the signed sheet — that sheet, not the script, is the audit evidence.

   ```
   gam delete admin <roleAssignmentId> / gam update group <group> remove member <user> / gam user <user> delete token clientid <clientid>
   ```

## Ongoing maintenance

- **[automatable: script]** Quarterly: run the enumeration and send attestation requests.
- **[requires a human]** Quarterly: chase non-responses and execute default-revoke.

## How to verify

1. Check the latest signed attestation sheet is no older than one cycle and its revocations were executed — spot-check one revoked grant is actually gone.

   ```
   gam print admins  # revoked role must be absent
   ```

## Settings screens

- Account > Admin roles (enumerate admin grants and their assignees)
  - console: https://admin.google.com/ac/list/roles
  - screenshot: ../screenshots/admin.google.com/ac/list/roles.png
- Directory > Users (accounts, suspension state, delegates)
  - console: https://admin.google.com/ac/users
  - screenshot: ../screenshots/admin.google.com/ac/users.png
- Directory > Groups (group membership = the other half of the grant surface)
  - console: https://admin.google.com/ac/groups
  - screenshot: ../screenshots/admin.google.com/ac/groups.png
- Security > Access and data control > API controls > Manage App Access (app grants in the same cycle)
  - console: https://admin.google.com/ac/owl/list?tab=configuredApps
  - screenshot: ../screenshots/admin.google.com/ac/owl/list__tab-configuredApps.png
