Control: 3.1.3.1.1 (L1) Ensure users cannot delegate access to their mailbox
Description
Mail delegation allows the delegate to read, send, and delete messages on their behalf. For example, a manager can delegate Gmail access to another person in their organization, such as an administrative assistant.
Only administrators should be able to delegate access to a user's mailboxes.
Remediation
To configure this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.com
as an administrator. - Select
Apps
. - Select
Google Workspace
. - Select
Gmail
. - Under
User Settings
-Mail delegation
, setLet users delegate access to their mailbox to other users in the domain
tounchecked
. - Select
Save
.
Default Value
Let users delegate access to their mailbox to other users in the domain
is unchecked
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_1_1 --share
SQL
This control uses a named query:
with all_users as ( select primary_email as user_email from googledirectory_user),gmail_settings as ( select u.user_email, gs.delegates from all_users u left join googleworkspace_gmail_settings gs on gs.user_email = u.user_email)select user_email as resource, case when delegates is null or jsonb_array_length(delegates) = 0 then 'ok' else 'alarm' end as status, case when delegates is null or jsonb_array_length(delegates) = 0 then 'No mailbox delegation configured for user: ' || user_email || '.' else 'Mailbox delegation is enabled for user: ' || user_email || ' with ' || jsonb_array_length(delegates) || ' delegate(s).' end as reasonfrom gmail_settings;