Control: 3.1.3.1.1 (L1) Ensure users cannot delegate access to their mailbox
Description
Mail delegation allows the delegate to read, send, and delete messages on their behalf. For example, a manager can delegate Gmail access to another person in their organization, such as an administrative assistant.
Only administrators should be able to delegate access to a user's mailboxes.
Remediation
To configure this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.comas an administrator. - Select
Apps. - Select
Google Workspace. - Select
Gmail. - Under
User Settings-Mail delegation, setLet users delegate access to their mailbox to other users in the domaintounchecked. - Select
Save.
Default Value
Let users delegate access to their mailbox to other users in the domain is unchecked
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_1_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_1_1 --shareSQL
This control uses a named query:
with all_users as ( select primary_email as user_email from googledirectory_user),gmail_settings as ( select u.user_email, gs.delegates from all_users u left join googleworkspace_gmail_settings gs on gs.user_email = u.user_email)select user_email as resource, case when delegates is null or jsonb_array_length(delegates) = 0 then 'ok' else 'alarm' end as status, case when delegates is null or jsonb_array_length(delegates) = 0 then 'No mailbox delegation configured for user: ' || user_email || '.' else 'Mailbox delegation is enabled for user: ' || user_email || ' with ' || jsonb_array_length(delegates) || ' delegate(s).' end as reasonfrom gmail_settings;