Google Directory Application Scope

The Application scope must be defined in the Google Directory OAuth2 Account to allow access to the correct Google APIs. By default, this is set to: 

  • https://www.googleapis.com/auth/admin.directory.user

  • https://www.googleapis.com/auth/admin.directory.orgunit

  • https://www.googleapis.com/auth/admin.directory.group

  • https://www.googleapis.com/auth/admin.directory.user.alias

To allow one account to handle all API calls for the user, orgunit, and group APIs. If you wish to restrict access to certain APIs you may do so by modifying this property. The following tables lists which scope is required for the supported API calls. To supply more than one scope at a time in the Application scope field, separate them with a space.

API Call

Application Scope

API Call

Application Scope

Read users

One of the following:

Read user photo

One of the following:

Read groups

One of the following:

Read orgunit

One of the following:

Insert user

https://www.googleapis.com/auth/admin.directory.user

Insert group

https://www.googleapis.com/auth/admin.directory.group

Insert orgunit

https://www.googleapis.com/auth/admin.directory.orgunit

Update user

https://www.googleapis.com/auth/admin.directory.user

Patch user

https://www.googleapis.com/auth/admin.directory.user

Update user photo

https://www.googleapis.com/auth/admin.directory.user

Patch user photo

https://www.googleapis.com/auth/admin.directory.user

Update group

https://www.googleapis.com/auth/admin.directory.group

Patch group

https://www.googleapis.com/auth/admin.directory.group

Update orgunit

https://www.googleapis.com/auth/admin.directory.orgunit

patch orgunit

https://www.googleapis.com/auth/admin.directory.orgunit

Delete user

https://www.googleapis.com/auth/admin.directory.user

Delete user photo

https://www.googleapis.com/auth/admin.directory.user

Delete group

https://www.googleapis.com/auth/admin.directory.group

Delete orgunit

https://www.googleapis.com/auth/admin.directory.orgunit

See Also