← All controls

41 Periodic access recertification

A quarterly cycle in which every grant class — admin roles, group memberships, shared-drive membership, OAuth grants, mailbox delegates — is enumerated into one attestation sheet, sent to its named owner, and revoked unless the owner re-affirms it. The default on no reply is revoke. The signed sheet, not the enumeration script, is the audit evidence.

Caveats

Setup steps

  1. gam print admins
    gam print group-members
    gam print shareddrives
    gam all users print tokens
    gam all users print delegates

    Control which apps access Google Workspace data ↗ Let users delegate access to a Gmail account ↗

  2. open ↗ Account › Admin roles

    Compare direct-assignment row count to gam print admins; group-inherited role assignments will not appear in the console list

    View role assignments & privileges ↗

  3. open ↗
    Admin console screen — Directory > Groups (group membership = the other half of the grant surface)

    https://admin.google.com/ac/groups · captured 2026-07-15

    Quarterly cycle; no reply within 10 working days = revoke

  4. open ↗
    gam delete admin <roleAssignmentId> / gam update group <group> remove member <user> / gam user <user> delete token clientid <clientid>

Ongoing maintenance

How to verify

  1. Check the latest signed attestation sheet is no older than one cycle and its revocations were executed — spot-check one revoked grant is actually gone.

    gam print admins  # revoked role must be absent

Further screens

Screen 1 of 1: Directory > Users (accounts, suspension state, delegates)

open ↗
Admin console screen — Directory > Users (accounts, suspension state, delegates)
https://admin.google.com/ac/users captured 2026-07-15

v0.1.3Assure policy #29 · #28, #12 ↗