App Maker security and permissions
App Maker security is a continuous team effort by many people in your organization. Consider app security from when you first turn on App Maker and set up Cloud SQL instances for App Maker apps to use. Ask developers to create and deploy apps that protect user and organization data.
Control access and permissions
As a G Suite admin, you can:
- Control who can use App Maker to develop apps. Learn more
- Control who developers can share app project files with. Learn more
- Monitor App Maker apps. Learn more
- Manage access to Cloud SQL instances. Learn more
- Manage OAuth permissions. Learn more
Google Cloud Platform (GCP) admins control:
- Who can create and manage Cloud SQL databases. Learn more
Admin best practices
- Turn on App Maker only for those people in your organization who are allowed to develop apps.
- Periodically evaluate permissions for App Maker and Cloud SQL and update them.
- Review your organization's apps and contact the owner if an app seems unused or problematic.
- Ask developers to build apps that follow security best practices.
- Ask app users to follow app user security best practices.
- Create a separate GCP project and Cloud SQL instance for each production app deployment. This approach lets you control access and review billing for each app.
Control Drive sharing settings
App Maker project files are stored in the app owner's Drive. You can control how users share Drive files in your organization. From the Admin console, go to AppsDrive & Docs.
Learn more about how to set file-sharing permissions.
Allow apps to skip user permission prompts
When a user first opens an App Maker app that might use their data, they must give the app permission in an OAuth prompt. You can whitelist App Maker apps so they don't request user permission to access user data.
When a user grants an app permission to their Google data, App Maker enforces the sharing settings on that data. For example, when a user grants an app permission to access their Drive files, other users can't access those files through the app unless the file owner shared those files.
Advanced OAuth permission management
You can control the permissions that App Maker apps can request from users in your organization.
- From the Admin console, go to SecuritySettingsAPI Permissions.
- Review the following settings:
- Apps Script runtime–Select Enable to allow App Maker apps, add-ons, and Apps Script projects to request OAuth 2.0 scopes specific to the Apps Script environment. This setting applies to apps and scripts from inside and outside your organization. It doesn't apply to Apps Script projects that don't request scopes. It also doesn't apply to Apps Script projects that request scopes only in Google products.
- Apps Script API–Select Enable to allow OAuth 2.0 clients to use the Apps Script API to manage projects.
- Trust domain owned apps—Uncheck the box to allow whitelisted apps to skip authentication requests.