Fine-grained permission to the Gmail Service Scope

Question

I am working on a project that under certain circumstance will allow me to delete emails of users mailbox in my domain. To identify those emails I would need a search privilege on users email metadata and the ability to insert those email back in case an admin decided that the automatic delete was wrong.

Looking at the scope provided by the API here. To identify and undelete an email it looks like I need the following scopes:

• https://www.googleapis.com/auth/gmail.readonly
• https://www.googleapis.com/auth/gmail.insert
• https://www.googleapis.com/auth/gmail.metadata

Now when it comes to deleting the message itself I just end up with full permission.

• https://mail.google.com/

Full access to the account’s mailboxes, including permanent deletion of threads and messages This scope, should only be requested if your application needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes.

I would prefer to limit my scopes as much as possible. As you can see from my use cases I don't have to read the email itself to know I want to delete it.

I was looking at the following link Customize access to services using access groups but it doesn't look that it will help in my case.

Can I create more fine-grained permission to the Gmail Service Scope in my case?

Answer 1

The gmail api supports the following scopes

You cant create scopes on Google's Authentication server only they can. If you need delete access then you are going to need https://mail.google.com/. You should be aware that that is one of the more sensitive scopes its going to cost you to verify an application to use it. Its also going to take time as it has to be verified through a third party company. You may want to start early.